public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
oauth2-proxy/docs/4_tls.md

2.5 KiB
Raw Blame History

layout title permalink nav_order
default TLS Configuration /tls-configuration 4

SSL Configuration

There are two recommended configurations.

  1. Configure SSL Termination with OAuth2 Proxy by providing a --tls-cert-file=/path/to/cert.pem and --tls-key-file=/path/to/cert.key.

    The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
    --email-domain="yourcompany.com"  \
    --upstream=http://127.0.0.1:8080/ \
    --tls-cert-file=/path/to/cert.pem \
    --tls-key-file=/path/to/cert.key \
    --cookie-secret=... \
    --cookie-secure=true \
    --provider=... \
    --client-id=... \
    --client-secret=...

  2. Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....

    Because oauth2-proxy listens on 127.0.0.1:4180 by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use --http-address="0.0.0.0:4180" or --http-address="http://:4180".

    Nginx will listen on port 443 and handle SSL connections while proxying to oauth2-proxy on port 4180. oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

    The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...