public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: fix local test files for nginx setup 

Signed-off-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Jan Larwig 2026-04-14 13:09:29 +02:00
parent f4894b65bf
commit 0a8f45f1f7
No known key found for this signature in database
GPG Key ID: C2172BFA220A037A
5 changed files with 52 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
contrib/local-environment/dex.yaml
View File

@ -6,7 +6,7 @@ storage:
type: etcd
config:
endpoints:
- http://etcd:2379
- http://etcd:2379
namespace: dex/
web:
http: 0.0.0.0:5556
@ -16,17 +16,18 @@ expiry:
signingKeys: "4h"
idTokens: "1h"
staticClients:
- id: oauth2-proxy
redirectURIs:
# These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
- 'http://oauth2-proxy.localtest.me:4180/oauth2/callback' # For basic proxy example.
- 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
name: 'OAuth2 Proxy'
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
- id: oauth2-proxy
redirectURIs:
# These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
- "http://oauth2-proxy.localtest.me:4180/oauth2/callback" # For basic proxy example.
- "http://oauth2-proxy.localtest.me:8080/oauth2/callback" # For nginx example.
- "http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" # For traefik example.
name: "OAuth2 Proxy"
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
enablePasswordDB: true
staticPasswords:
- email: "admin@example.com"
# bcrypt hash of the string "password"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
- email: "admin@example.com"
# bcrypt hash of the string "password"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

8
contrib/local-environment/docker-compose-keycloak.yaml
View File

@ -10,7 +10,7 @@
#
# Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password
# Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings
version: '3.0'
version: "3.0"
services:
oauth2-proxy:
container_name: oauth2-proxy
@ -43,9 +43,9 @@ services:
image: keycloak/keycloak:25.0
hostname: keycloak
command:
- 'start-dev'
- '--http-port=9080'
- '--import-realm'
- "start-dev"
- "--http-port=9080"
- "--import-realm"
volumes:
- ./keycloak:/opt/keycloak/data/import
environment:

4
contrib/local-environment/docker-compose-nginx.yaml
View File

@ -23,11 +23,11 @@ version: "3.0"
services:
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
ports:
- 4180:4180/tcp
ports: []
hostname: oauth2-proxy
container_name: oauth2-proxy
command: --config /oauth2-proxy.cfg
restart: unless-stopped
volumes:
- "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
networks:

67
contrib/local-environment/nginx.conf
View File

@ -1,49 +1,44 @@
# Reverse proxy to oauth2-proxy
server {
listen 8080;
server_name oauth2-proxy.localtest.me;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180/;
}
}
# Reverse proxy to httpbin
server {
listen 8080;
server_name httpbin.localtest.me;
server_name oauth2-proxy.localtest.me;
auth_request /internal-auth/oauth2/auth;
location /oauth2/ {
proxy_pass http://oauth2-proxy:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
# On 401, redirect to the sign_in page via a named location
# This ensures a proper 302 redirect that browsers will follow
error_page 401 = @oauth2_signin;
location = /oauth2/auth {
proxy_pass http://oauth2-proxy:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
proxy_pass http://httpbin/;
# or "root /path/to/site;" or "fastcgi_pass ..." etc
}
# Named location for OAuth2 sign-in redirect
# Returns a proper 302 that works with --skip-provider-button
# Named location for handling OAuth2 sign-in redirects
# This ensures the browser receives a proper 302 redirect that it will follow
location @oauth2_signin {
return 302 http://oauth2-proxy.localtest.me:8080/oauth2/sign_in?rd=$scheme://$host$request_uri;
}
# auth_request must be a URI so this allows an internal path to then proxy to
# the real auth_request path.
# The trailing /'s are required so that nginx strips the prefix before proxying.
location /internal-auth/ {
internal; # Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180/;
return 302 /oauth2/sign_in?rd=$scheme://$http_host$request_uri;
}
}

2
contrib/local-environment/oauth2-proxy-nginx.cfg
View File

@ -9,7 +9,7 @@ whitelist_domains=[".localtest.me"] # Required to allow redirection back to orig
# dex provider
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy"
redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
redirect_url="http://oauth2-proxy.localtest.me:8080/oauth2/callback"
oidc_issuer_url="http://dex.localtest.me:5556/dex"
provider="oidc"