pbadenski/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Tech: nginx + oauth2_proxy


Install oauth2_proxy (https://github.com/bitly/oauth2_proxy):
$ go get github.com/bitly/oauth2_proxy


Set up your favourite OAuth2 provider (see https://github.com/bitly/oauth2_proxy for detailed instructions)


Run:
$ oauth2_proxy --client-id=CLIENT_ID --client-secret=CLIENT_SECRET --cookie-secret=COOKIE_SECRET --email-domain=pricingmonkey.com


Change your nginx.conf to match this gist (or just copy-paste if doing this from scratch).


Make sure these variables match your configuration:


oauth2_proxy_uri
upstream_uri

Known limitations


no visible log out link (user will be logged out when they navigate to: http://ZIPKIN_URL/oauth2/sign_in).
auth_request does not support conditional authentication. We need this to allow unauthenticated insertion of spans (POST api/v1/span). I hacked away around it, but this clearly increases complexity. (Source: https://stackoverflow.com/questions/29210428/nginx-optional-auth-request)


## nginx.conf
server {
    listen 80;

    set $oauth2_proxy_uri 127.0.0.1:4180;
    set $upstream_uri 127.0.0.1:9411;

    location /oauth2/ {
        proxy_pass       http://$oauth2_proxy_uri;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
    }

    location /__auth {
        internal;
        proxy_pass http://$oauth2_proxy_uri/oauth2/auth;
    }

    location / {
        if ($request_method != POST) {
            rewrite ^(.*)$ /_auth$1 last;
        }
        proxy_pass http://$upstream_uri;
        proxy_connect_timeout 300;
    }

    location ~ /_auth(.*) {
        internal;

        set $actual_path $1;
        auth_request /__auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_pass http://$upstream_uri$actual_path/?$query_string;
        proxy_connect_timeout 300;
    }
}
	server {
	listen 80;

	set $oauth2_proxy_uri 127.0.0.1:4180;
	set $upstream_uri 127.0.0.1:9411;

	location /oauth2/ {
	proxy_pass http://$oauth2_proxy_uri;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header X-Auth-Request-Redirect $request_uri;
	}

	location /__auth {
	internal;
	proxy_pass http://$oauth2_proxy_uri/oauth2/auth;
	}

	location / {
	if ($request_method != POST) {
	rewrite ^(.*)$ /_auth$1 last;
	}
	proxy_pass http://$upstream_uri;
	proxy_connect_timeout 300;
	}

	location ~ /_auth(.*) {
	internal;

	set $actual_path $1;
	auth_request /__auth;
	error_page 401 = /oauth2/sign_in;

	# pass information via X-User and X-Email headers to backend,
	# requires running with --set-xauthrequest flag
	auth_request_set $user $upstream_http_x_auth_request_user;
	auth_request_set $email $upstream_http_x_auth_request_email;
	proxy_set_header X-User $user;
	proxy_set_header X-Email $email;

	# if you enabled --cookie-refresh, this is needed for it to work with auth_request
	auth_request_set $auth_cookie $upstream_http_set_cookie;
	add_header Set-Cookie $auth_cookie;

	proxy_pass http://$upstream_uri$actual_path/?$query_string;
	proxy_connect_timeout 300;
	}
	}