Skip to content

Instantly share code, notes, and snippets.

@sergeyignatov

sergeyignatov/nginx config

Last active March 14, 2023 16:47
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sergeyignatov/0228aa61e808bd830e63076e273e9fc9 to your computer and use it in GitHub Desktop.
Save sergeyignatov/0228aa61e808bd830e63076e273e9fc9 to your computer and use it in GitHub Desktop.
Download ZIP
zabbix oauth
Raw
nginx config
server {
listen 80;
return 301 https://zabbix.domain.com$request_uri;
}
server {
listen 443 ssl;
server_name zabbix zabbix.domain.com;
access_log /var/log/nginx/zabbix.log;
error_log /var/log/nginx/zabbix.error;
root /var/www/zabbix/;
ssl_certificate /etc/ssl/domain.crt;
ssl_certificate_key /etc/ssl/domain.key;
index index.php index.html;
client_max_body_size 5m;
client_body_buffer_size 128k;
fastcgi_read_timeout 300;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /api_jsonrpc.php {
auth_basic "Secret Files";
auth_basic_user_file /etc/nginx/htpasswd;
fastcgi_pass 127.0.0.1:7000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location ~ \.php$ {
if ($arg_reconnect = 1) {
return 301 /oauth2/sign_out;
}
fastcgi_param PHP_AUTH_USER $user;
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
fastcgi_pass 127.0.0.1:7000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
expires max;
log_not_found off;
}
location ~ /\. {
deny all;
}
}
Raw
oauth2_proxy.conf
# https://github.com/bitly/oauth2_proxy
# ./oauth2_proxy -config /etc/oauth2_proxy.conf --set-xauthrequest=true
redirect_url = "https://zabbix.domain.com/oauth2/callback"
request_logging = true
client_id = "xxxx"
client_secret = "yyyyy"
upstreams = [
"http://127.0.0.1:8080/"
]
cookie_secret = "secret"
cookie-domain = "domain.com"
xauthrequest = true
email_domains = [
"domain.com"
]
@philthynz
Copy link

Does anything in Zabbix need to be configured to get this to work?

@sergeyignatov
Copy link
Author

Yes, set http authentication. https://www.zabbix.com/documentation/4.0/manual/web_interface/frontend_sections/administration/authentication

@JBM1866
Copy link

JBM1866 commented Sep 29, 2019

Where do these two files need to be added in order for this to work?

@phillip-white-jarden
Copy link

The nginx config should go under '/etc/nginx/sites-enabled/' and the oauth2_proxy should go anywhere just as long as you call it from the auth2_proxy binary.

@pakru
Copy link

pakru commented Oct 11, 2019

Is there any config file for Apache?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment