oauth2-proxy/585bdad0.5bd991bb.js

(window.webpackJsonp=window.webpackJsonp||[]).push([[20],{116:function(e,t,n){"use strict";n.d(t,"a",(function(){return u})),n.d(t,"b",(function(){return d}));var r=n(0),a=n.n(r);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function c(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?i(Object(n),!0).forEach((function(t){o(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):i(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function p(e,t){if(null==e)return{};var n,r,a=function(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}(e,t);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(a[n]=e[n])}return a}var l=a.a.createContext({}),s=function(e){var t=a.a.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):c(c({},t),e)),n},u=function(e){var t=s(e.components);return a.a.createElement(l.Provider,{value:t},e.children)},b={inlineCode:"code",wrapper:function(e){var t=e.children;return a.a.createElement(a.a.Fragment,{},t)}},m=a.a.forwardRef((function(e,t){var n=e.components,r=e.mdxType,o=e.originalType,i=e.parentName,l=p(e,["components","mdxType","originalType","parentName"]),u=s(n),m=r,d=u["".concat(i,".").concat(m)]||u[m]||b[m]||o;return n?a.a.createElement(d,c(c({ref:t},l),{},{components:n})):a.a.createElement(d,c({ref:t},l))}));function d(e,t){var n=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var o=n.length,i=new Array(o);i[0]=m;var c={};for(var p in t)hasOwnProperty.call(t,p)&&(c[p]=t[p]);c.originalType=e,c.mdxType="string"==typeof e?e:r,i[1]=c;for(var l=2;l<o;l++)i[l]=n[l];return a.a.createElement.apply(null,i)}return a.a.createElement.apply(null,n)}m.displayName="MDXCreateElement"},78:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return i})),n.d(t,"metadata",(function(){return c})),n.d(t,"rightToc",(function(){return p})),n.d(t,"default",(function(){return s}));var r=n(2),a=n(6),o=(n(0),n(116)),i={id:"tls",title:"TLS Configuration"},c={unversionedId:"configuration/tls",id:"configuration/tls",isDocsHomePage:!1,title:"TLS Configuration",description:"There are two recommended configurations:",source:"@site/docs/configuration/tls.md",slug:"/configuration/tls",permalink:"/oauth2-proxy/docs/next/configuration/tls",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/tls.md",version:"current",sidebar:"docs",previous:{title:"Session Storage",permalink:"/oauth2-proxy/docs/next/configuration/session_storage"},next:{title:"Alpha Configuration",permalink:"/oauth2-proxy/docs/next/configuration/alpha-config"}},p=[{value:"Terminate TLS at OAuth2 Proxy",id:"terminate-tls-at-oauth2-proxy",children:[]},{value:"Terminate TLS at Reverse Proxy, e.g. Nginx",id:"terminate-tls-at-reverse-proxy-eg-nginx",children:[]}],l={rightToc:p};function s(e){var t=e.components,n=Object(a.a)(e,["components"]);return Object(o.b)("wrapper",Object(r.a)({},l,n,{components:t,mdxType:"MDXLayout"}),Object(o.b)("p",null,"There are two recommended configurations:"),Object(o.b)("ul",null,Object(o.b)("li",{parentName:"ul"},Object(o.b)("a",Object(r.a)({parentName:"li"},{href:"#terminate-tls-at-oauth2-proxy"}),"At OAuth2 Proxy")),Object(o.b)("li",{parentName:"ul"},Object(o.b)("a",Object(r.a)({parentName:"li"},{href:"#terminate-tls-at-reverse-proxy-eg-nginx"}),"At Reverse Proxy"))),Object(o.b)("h3",{id:"terminate-tls-at-oauth2-proxy"},"Terminate TLS at OAuth2 Proxy"),Object(o.b)("ol",null,Object(o.b)("li",{parentName:"ol"},Object(o.b)("p",{parentName:"li"},"Configure SSL Termination with OAuth2 Proxy by providing a ",Object(o.b)("inlineCode",{parentName:"p"},"--tls-cert-file=/path/to/cert.pem")," and ",Object(o.b)("inlineCode",{parentName:"p"},"--tls-key-file=/path/to/cert.key"),"."),Object(o.b)("p",{parentName:"li"},"The command line to run ",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," in this configuration would look like this:"),Object(o.b)("pre",{parentName:"li"},Object(o.b)("code",Object(r.a)({parentName:"pre"},{className:"language-bash"}),'./oauth2-proxy \\\n    --email-domain="yourcompany.com"  \\\n    --upstream=http://127.0.0.1:8080/ \\\n    --tls-cert-file=/path/to/cert.pem \\\n    --tls-key-file=/path/to/cert.key \\\n    --cookie-secret=... \\\n    --cookie-secure=true \\\n    --provider=... \\\n    --client-id=... \\\n    --client-secret=...\n'))),Object(o.b)("li",{parentName:"ol"},Object(o.b)("p",{parentName:"li"},"With this configuration approach the customization of the TLS settings is limited."),Object(o.b)("p",{parentName:"li"},"The minimal acceptable TLS version can be set with ",Object(o.b)("inlineCode",{parentName:"p"},"--tls-min-version=TLS1.3"),".\nThe defaults set ",Object(o.b)("inlineCode",{parentName:"p"},"TLS1.2")," as the minimal version.\nRegardless of the minimum version configured, ",Object(o.b)("inlineCode",{parentName:"p"},"TLS1.3")," is currently always used as the maximal version."),Object(o.b)("p",{parentName:"li"},"The server side cipher suites are the defaults from ",Object(o.b)("a",Object(r.a)({parentName:"p"},{href:"https://pkg.go.dev/crypto/tls#CipherSuites"}),Object(o.b)("inlineCode",{parentName:"a"},"crypto/tls"))," of\nthe currently used ",Object(o.b)("inlineCode",{parentName:"p"},"go")," version for building ",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy"),"."))),Object(o.b)("h3",{id:"terminate-tls-at-reverse-proxy-eg-nginx"},"Terminate TLS at Reverse Proxy, e.g. Nginx"),Object(o.b)("ol",null,Object(o.b)("li",{parentName:"ol"},Object(o.b)("p",{parentName:"li"},"Configure SSL Termination with ",Object(o.b)("a",Object(r.a)({parentName:"p"},{href:"http://nginx.org/"}),"Nginx")," (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ..."),Object(o.b)("p",{parentName:"li"},"Because ",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," listens on ",Object(o.b)("inlineCode",{parentName:"p"},"127.0.0.1:4180")," by default, to listen on all interfaces (needed when using an\nexternal load balancer like Amazon ELB or Google Platform Load Balancing) use ",Object(o.b)("inlineCode",{parentName:"p"},'--http-address="0.0.0.0:4180"')," or\n",Object(o.b)("inlineCode",{parentName:"p"},'--http-address="http://:4180"'),"."),Object(o.b)("p",{parentName:"li"},"Nginx will listen on port ",Object(o.b)("inlineCode",{parentName:"p"},"443")," and handle SSL connections while proxying to ",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," on port ",Object(o.b)("inlineCode",{parentName:"p"},"4180"),".\n",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," will then authenticate requests for an upstream application. The external endpoint for this example\nwould be ",Object(o.b)("inlineCode",{parentName:"p"},"https://internal.yourcompany.com/"),"."),Object(o.b)("p",{parentName:"li"},"An example Nginx config follows. Note the use of ",Object(o.b)("inlineCode",{parentName:"p"},"Strict-Transport-Security")," header to pin requests to SSL\nvia ",Object(o.b)("a",Object(r.a)({parentName:"p"},{href:"http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"}),"HSTS"),":"),Object(o.b)("pre",{parentName:"li"},Object(o.b)("code",Object(r.a)({parentName:"pre"},{}),"server {\n    listen 443 default ssl;\n    server_name internal.yourcompany.com;\n    ssl_certificate /path/to/cert.pem;\n    ssl_certificate_key /path/to/cert.key;\n    add_header Strict-Transport-Security max-age=2592000;\n\n    location / {\n        proxy_pass http://127.0.0.1:4180;\n        proxy_set_header Host $host;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Scheme $scheme;\n        proxy_connect_timeout 1;\n        proxy_send_timeout 30;\n        proxy_read_timeout 30;\n    }\n}\n"))),Object(o.b)("li",{parentName:"ol"},Object(o.b)("p",{parentName:"li"},"The command line to run ",Object(o.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," in this configuration would look like this:"),Object(o.b)("pre",{parentName:"li"},Object(o.b)("code",Object(r.a)({parentName:"pre"},{className:"language-bash"}),'./oauth2-proxy \\\n   --email-domain="yourcompany.com"  \\\n   --upstream=http://127.0.0.1:8080/ \\\n   --cookie-secret=... \\\n   --cookie-secure=true \\\n   --provider=... \\\n   --reverse-proxy=true \\\n   --client-id=... \\\n   --client-secret=...\n')))))}s.isMDXComponent=!0}}]);