oauth2_proxy + nginx auth_requstのサンプルだよ

oauth2_proxy.conf

# please include in server context
# ref: https://github.com/bitly/oauth2_proxy#endpoint-documentation

# for checking login status.
# only returns a 202 Accepted response or a 401 Unauthorized response;
location = /oauth2/auth {
  internal;

  # return 202 if local request, for inftataster test
  set $local 0;
  if ($remote_addr =  "127.0.0.1")  { set $local 1; }
  if ($remote_addr ~* "^172\.17\.") { set $local 1; }
  if ($remote_addr ~* "^192\.168")  { set $local 1; }
  if ($local = 1) { return 202; }

  proxy_pass http://127.0.0.1:4190;
  proxy_set_header Host $host;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";
}

# to start oauth cycle
location = /oauth2/start {
  internal;
  proxy_pass http://127.0.0.1:4190;
  proxy_set_header Host $host;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";
}

# to complete oauth cycle
location = /oauth2/callback {
  auth_request off;
  proxy_pass http://127.0.0.1:4190;
  proxy_set_header Host $host;
}

oauth2_enable.conf

# please include in location context

satisfy any;

auth_request /oauth2/auth;
error_page 401 = /oauth2/start?rd=$uri;

# add the response header if the auth passed, for inftataster test
auth_request_set $auth_status "passed";
add_header X-OAuth2-Status $auth_status always;

# allow from office without google auth
{% for net in oauth2_allowed_networks %}
allow {{ net }};
{% endfor %}
deny all;

vhost example

server {
  listen 443 ssl http2;
  server_name my.domain.com;

  include conf.d/common/oauth2_proxy.conf;

  location /secret/path {
    include conf.d/common/oauth2_enable.conf;
    proxy_pass http://backend;
  }

  location / {
    proxy_pass http:/backend;
  }
}

memo

• まだauthエンドポイントがリリースされてないので、masterからbuildすること
• oauth2_proxyでは一切proxyしないけど、configのupstreamsにはなんでもいいので値をsetしとくこと。しないと起動しない

great document 💯