TLS Configuration
There are two recommended configurations.
Configure SSL Termination with OAuth2 Proxy by providing a
--tls-cert-file=/path/to/cert.pemand--tls-key-file=/path/to/cert.key.The command line to run
oauth2-proxyin this configuration would look like this:./oauth2-proxy \--email-domain="yourcompany.com" \--upstream=http://127.0.0.1:8080/ \--tls-cert-file=/path/to/cert.pem \--tls-key-file=/path/to/cert.key \--cookie-secret=... \--cookie-secure=true \--provider=... \--client-id=... \--client-secret=...Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
Because
oauth2-proxylistens on127.0.0.1:4180by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use--http-address="0.0.0.0:4180"or--http-address="http://:4180".Nginx will listen on port
443and handle SSL connections while proxying tooauth2-proxyon port4180.oauth2-proxywill then authenticate requests for an upstream application. The external endpoint for this example would behttps://internal.yourcompany.com/.An example Nginx config follows. Note the use of
Strict-Transport-Securityheader to pin requests to SSL via HSTS:server {listen 443 default ssl;server_name internal.yourcompany.com;ssl_certificate /path/to/cert.pem;ssl_certificate_key /path/to/cert.key;add_header Strict-Transport-Security max-age=2592000;location / {proxy_pass http://127.0.0.1:4180;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Scheme $scheme;proxy_connect_timeout 1;proxy_send_timeout 30;proxy_read_timeout 30;}}The command line to run
oauth2-proxyin this configuration would look like this:./oauth2-proxy \--email-domain="yourcompany.com" \--upstream=http://127.0.0.1:8080/ \--cookie-secret=... \--cookie-secure=true \--provider=... \--reverse-proxy=true \--client-id=... \--client-secret=...