From afef9c758893ab16cdc9e8ebbaf57009409e208d Mon Sep 17 00:00:00 2001
From: Joel Speed <joel.speed@hotmail.co.uk>
Date: Thu, 7 May 2020 22:59:43 +0100
Subject: [PATCH] Add nginx test environment to demonstrate protecting multiple
subdomains
---
Makefile | 5 ++
contrib/local-environment/Makefile | 8 ++
contrib/local-environment/dex.yaml | 4 +-
.../docker-compose-nginx.yaml | 43 ++++++++++
contrib/local-environment/nginx.conf | 84 +++++++++++++++++++
.../local-environment/oauth2-proxy-nginx.cfg | 12 +++
contrib/local-environment/oauth2-proxy.cfg | 3 +-
7 files changed, 157 insertions(+), 2 deletions(-)
create mode 100644 contrib/local-environment/docker-compose-nginx.yaml
create mode 100644 contrib/local-environment/nginx.conf
create mode 100644 contrib/local-environment/oauth2-proxy-nginx.cfg
diff --git a/Makefile b/Makefile
index a2712ff..ba58b35 100644
--- a/Makefile
+++ b/Makefile
@@ -88,6 +88,11 @@ validate-go-version:
fi
# local-env can be used to interact with the local development environment
+# eg:
+# make local-env-up # Bring up a basic test environment
+# make local-env-down # Tear down the basic test environment
+# make local-env-nginx-up # Bring up an nginx based test environment
+# make local-env-nginx-down # Tead down the nginx based test environment
.PHONY: local-env-%
local-env-%:
make -C contrib/local-environment $*
diff --git a/contrib/local-environment/Makefile b/contrib/local-environment/Makefile
index 3b26b68..0cfeaa6 100644
--- a/contrib/local-environment/Makefile
+++ b/contrib/local-environment/Makefile
@@ -5,3 +5,11 @@ up:
.PHONY: %
%:
docker-compose $*
+
+.PHONY: nginx-up
+nginx-up:
+ docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
+
+.PHONY: nginx-%
+nginx-%:
+ docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml
index 3494630..40a8bed 100644
--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@@ -18,7 +18,9 @@ expiry:
staticClients:
- id: oauth2-proxy
redirectURIs:
- - 'http://localhost:4180/oauth2/callback'
+ # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
+ - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
+ - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
name: 'OAuth2 Proxy'
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
enablePasswordDB: true
diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml
new file mode 100644
index 0000000..af6c587
--- /dev/null
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@@ -0,0 +1,43 @@
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
+# etcd for storage for Dex, nginx as a reverse proxy and other http services for upstreams
+#
+# This file is an extension of the main compose file and must be used with it
+# docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml <command>
+# Alternatively:
+# make nginx-<command> (eg make nginx-up, make nginx-down)
+#
+# Access one of the following URLs to initiate a login flow:
+# - http://oauth2-proxy.localhost
+# - http://httpbin.oauth2-proxy.localhost
+#
+# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
+#
+# Note, the above URLs should work with Chrome, but you may need to add hosts
+# entries for other browsers
+# 127.0.0.1 oauth2-proxy.localhost
+# 127.0.0.1 httpbin.oauth2-proxy.localhost
+# 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
+version: '3.0'
+services:
+ oauth2-proxy:
+ ports: []
+ hostname: oauth2-proxy
+ volumes:
+ - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
+ networks:
+ oauth2-proxy: {}
+ nginx:
+ container_name: nginx
+ image: nginx:1.18
+ ports:
+ - 80:80/tcp
+ hostname: nginx
+ volumes:
+ - "./nginx.conf:/etc/nginx/conf.d/default.conf"
+ networks:
+ oauth2-proxy: {}
+ httpbin: {}
+networks:
+ oauth2-proxy: {}
diff --git a/contrib/local-environment/nginx.conf b/contrib/local-environment/nginx.conf
new file mode 100644
index 0000000..877c213
--- /dev/null
+++ b/contrib/local-environment/nginx.conf
@@ -0,0 +1,84 @@
+# Reverse proxy to oauth2-proxy
+server {
+ listen 80;
+ server_name oauth2-proxy.oauth2-proxy.localhost;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ proxy_pass http://oauth2-proxy:4180/;
+ }
+}
+
+# Reverse proxy to httpbin
+server {
+ listen 80;
+ server_name httpbin.oauth2-proxy.localhost;
+
+ auth_request /internal-auth/oauth2/auth;
+
+ # If the auth_request denies the request (401), redirect to the sign_in page
+ # and include the final rd URL back to the user's original request.
+ error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+ # Alternatively send the request to `start` to skip the provider button
+ # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+ location / {
+ proxy_pass http://httpbin/;
+ }
+
+ # auth_request must be a URI so this allows an internal path to then proxy to
+ # the real auth_request path.
+ # The trailing /'s are required so that nginx strips the prefix before proxying.
+ location /internal-auth/ {
+ internal; # Ensure external users can't access this path
+
+ # Make sure the OAuth2 Proxy knows where the original request came from.
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ proxy_pass http://oauth2-proxy:4180/;
+ }
+}
+
+# Statically serve the nginx welcome
+server {
+ listen 80;
+ server_name oauth2-proxy.localhost;
+
+ location / {
+ auth_request /internal-auth/oauth2/auth;
+
+ # If the auth_request denies the request (401), redirect to the sign_in page
+ # and include the final rd URL back to the user's original request.
+ error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+ # Alternatively send the request to `start` to skip the provider button
+ # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+ }
+
+ # redirect server error pages to the static page /50x.html
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+
+ # auth_request must be a URI so this allows an internal path to then proxy to
+ # the real auth_request path.
+ # The trailing /'s are required so that nginx strips the prefix before proxying.
+ location /internal-auth/ {
+ internal; # Ensure external users can't access this path
+
+ # Make sure the OAuth2 Proxy knows where the original request came from.
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ proxy_pass http://oauth2-proxy:4180/;
+ }
+}
diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg
new file mode 100644
index 0000000..6ba5623
--- /dev/null
+++ b/contrib/local-environment/oauth2-proxy-nginx.cfg
@@ -0,0 +1,12 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+provider="oidc"
+email_domains="example.com"
+oidc_issuer_url="http://dex.localhost:4190/dex"
+client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+client_id="oauth2-proxy"
+cookie_secure="false"
+
+redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
+cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
+whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
diff --git a/contrib/local-environment/oauth2-proxy.cfg b/contrib/local-environment/oauth2-proxy.cfg
index beb8c90..7ee55d8 100644
--- a/contrib/local-environment/oauth2-proxy.cfg
+++ b/contrib/local-environment/oauth2-proxy.cfg
@@ -1,5 +1,4 @@
http_address="0.0.0.0:4180"
-redirect_url="http://localhost:4180/oauth2/callback"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
provider="oidc"
email_domains="example.com"
@@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex"
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy"
cookie_secure="false"
+
+redirect_url="http://localhost:4180/oauth2/callback"
upstreams="http://httpbin"
--
GitLab