Skip to content
Snippets Groups Projects
Unverified Commit afef9c75 authored by Joel Speed's avatar Joel Speed
Browse files

Add nginx test environment to demonstrate protecting multiple subdomains

parent 0ccfc73a
Branches
No related tags found
No related merge requests found
...@@ -88,6 +88,11 @@ validate-go-version: ...@@ -88,6 +88,11 @@ validate-go-version:
fi fi
# local-env can be used to interact with the local development environment # local-env can be used to interact with the local development environment
# eg:
# make local-env-up # Bring up a basic test environment
# make local-env-down # Tear down the basic test environment
# make local-env-nginx-up # Bring up an nginx based test environment
# make local-env-nginx-down # Tead down the nginx based test environment
.PHONY: local-env-% .PHONY: local-env-%
local-env-%: local-env-%:
make -C contrib/local-environment $* make -C contrib/local-environment $*
...@@ -5,3 +5,11 @@ up: ...@@ -5,3 +5,11 @@ up:
.PHONY: % .PHONY: %
%: %:
docker-compose $* docker-compose $*
.PHONY: nginx-up
nginx-up:
docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
.PHONY: nginx-%
nginx-%:
docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
...@@ -18,7 +18,9 @@ expiry: ...@@ -18,7 +18,9 @@ expiry:
staticClients: staticClients:
- id: oauth2-proxy - id: oauth2-proxy
redirectURIs: redirectURIs:
- 'http://localhost:4180/oauth2/callback' # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
- 'http://localhost:4180/oauth2/callback' # For basic proxy example.
- 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
name: 'OAuth2 Proxy' name: 'OAuth2 Proxy'
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
enablePasswordDB: true enablePasswordDB: true
......
# This docker-compose file can be used to bring up an example instance of oauth2-proxy
# for manual testing and exploration of features.
# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
# etcd for storage for Dex, nginx as a reverse proxy and other http services for upstreams
#
# This file is an extension of the main compose file and must be used with it
# docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml <command>
# Alternatively:
# make nginx-<command> (eg make nginx-up, make nginx-down)
#
# Access one of the following URLs to initiate a login flow:
# - http://oauth2-proxy.localhost
# - http://httpbin.oauth2-proxy.localhost
#
# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
#
# Note, the above URLs should work with Chrome, but you may need to add hosts
# entries for other browsers
# 127.0.0.1 oauth2-proxy.localhost
# 127.0.0.1 httpbin.oauth2-proxy.localhost
# 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
version: '3.0'
services:
oauth2-proxy:
ports: []
hostname: oauth2-proxy
volumes:
- "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
networks:
oauth2-proxy: {}
nginx:
container_name: nginx
image: nginx:1.18
ports:
- 80:80/tcp
hostname: nginx
volumes:
- "./nginx.conf:/etc/nginx/conf.d/default.conf"
networks:
oauth2-proxy: {}
httpbin: {}
networks:
oauth2-proxy: {}
# Reverse proxy to oauth2-proxy
server {
listen 80;
server_name oauth2-proxy.oauth2-proxy.localhost;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://oauth2-proxy:4180/;
}
}
# Reverse proxy to httpbin
server {
listen 80;
server_name httpbin.oauth2-proxy.localhost;
auth_request /internal-auth/oauth2/auth;
# If the auth_request denies the request (401), redirect to the sign_in page
# and include the final rd URL back to the user's original request.
error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
# Alternatively send the request to `start` to skip the provider button
# error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
location / {
proxy_pass http://httpbin/;
}
# auth_request must be a URI so this allows an internal path to then proxy to
# the real auth_request path.
# The trailing /'s are required so that nginx strips the prefix before proxying.
location /internal-auth/ {
internal; # Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://oauth2-proxy:4180/;
}
}
# Statically serve the nginx welcome
server {
listen 80;
server_name oauth2-proxy.localhost;
location / {
auth_request /internal-auth/oauth2/auth;
# If the auth_request denies the request (401), redirect to the sign_in page
# and include the final rd URL back to the user's original request.
error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
# Alternatively send the request to `start` to skip the provider button
# error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
root /usr/share/nginx/html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# auth_request must be a URI so this allows an internal path to then proxy to
# the real auth_request path.
# The trailing /'s are required so that nginx strips the prefix before proxying.
location /internal-auth/ {
internal; # Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://oauth2-proxy:4180/;
}
}
http_address="0.0.0.0:4180"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
provider="oidc"
email_domains="example.com"
oidc_issuer_url="http://dex.localhost:4190/dex"
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy"
cookie_secure="false"
redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
http_address="0.0.0.0:4180" http_address="0.0.0.0:4180"
redirect_url="http://localhost:4180/oauth2/callback"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
provider="oidc" provider="oidc"
email_domains="example.com" email_domains="example.com"
...@@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex" ...@@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex"
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK" client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy" client_id="oauth2-proxy"
cookie_secure="false" cookie_secure="false"
redirect_url="http://localhost:4180/oauth2/callback"
upstreams="http://httpbin" upstreams="http://httpbin"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment