oauth2-proxy/docs/configuration/tls/index.html

<!doctype html>
<html class="docs-version-7.3.x" lang="en" dir="ltr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-beta.15">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><meta data-react-helmet="true" name="docusaurus_locale" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.3.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.3.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations:"><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations:"><link data-react-helmet="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><link data-react-helmet="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls" hreflang="en"><link data-react-helmet="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.19258e03.css">
<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.355cac20.js" as="script">
<link rel="preload" href="/oauth2-proxy/assets/js/main.a264f451.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region"><a href="#" class="skipToContent_ZgBM">Skip to main content</a></div><nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_W2Cr themedImage--light_TfLj"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_W2Cr themedImage--dark_oUvU"></div><b class="navbar__title">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" href="/oauth2-proxy/docs/">7.3.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/configuration/tls">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/configuration/tls">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/configuration/tls">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/configuration/tls">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/tls">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link"><span>GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a><div class="toggle_Pssr toggle_TdHA toggleDisabled_jDku"><div class="toggleTrack_SSoT" role="button" tabindex="-1"><div class="toggleTrackCheck_XobZ"><span class="toggleIcon_eZtF">🌜</span></div><div class="toggleTrackX_YkSC"><span class="toggleIcon_eZtF">🌞</span></div><div class="toggleTrackThumb_uRm4"></div></div><input type="checkbox" class="toggleScreenReader_JnkT" aria-label="Switch between dark and light mode"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div class="main-wrapper docs-wrapper docs-doc-page"><div class="docPage_P2Lg"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_RiI4" type="button"></button><aside class="theme-doc-sidebar-container docSidebarContainer_rKC_"><div class="sidebar_CW9Y"><nav class="menu thin-scrollbar menu_SkdO"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active hasHref_VCh3" aria-current="page" href="/oauth2-proxy/docs/configuration/overview">Configuration</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__
The defaults set <code>TLS1.2</code> as the minimal version.
Regardless of the minimum version configured, <code>TLS1.3</code> is currently always used as the maximal version.</p><p>The server side cipher suites are the defaults from <a href="https://pkg.go.dev/crypto/tls#CipherSuites" target="_blank" rel="noopener noreferrer"><code>crypto/tls</code></a> of
the currently used <code>go</code> version for building <code>oauth2-proxy</code>.</p></li></ol><h3 class="anchor anchorWithStickyNavbar_mojV" id="terminate-tls-at-reverse-proxy-eg-nginx">Terminate TLS at Reverse Proxy, e.g. Nginx<a class="hash-link" href="#terminate-tls-at-reverse-proxy-eg-nginx" title="Direct link to heading">​</a></h3><ol><li><p>Configure SSL Termination with <a href="http://nginx.org/" target="_blank" rel="noopener noreferrer">Nginx</a> (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...</p><p>Because <code>oauth2-proxy</code> listens on <code>127.0.0.1:4180</code> by default, to listen on all interfaces (needed when using an
external load balancer like Amazon ELB or Google Platform Load Balancing) use <code>--http-address=&quot;0.0.0.0:4180&quot;</code> or
<code>--http-address=&quot;http://:4180&quot;</code>.</p><p>Nginx will listen on port <code>443</code> and handle SSL connections while proxying to <code>oauth2-proxy</code> on port <code>4180</code>.
<code>oauth2-proxy</code> will then authenticate requests for an upstream application. The external endpoint for this example
would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx config follows. Note the use of <code>Strict-Transport-Security</code> header to pin requests to SSL
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    listen 443 default ssl;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    server_name internal.yourcompany.com;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate /path/to/cert.pem;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate_key /path/to/cert.key;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    add_header Strict-Transport-Security max-age=2592000;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    location / {</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_pass http://127.0.0.1:4180;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header Host $host;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Real-IP $remote_addr;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Scheme $scheme;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_connect_timeout 1;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_send_timeout 30;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_read_timeout 30;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">    }</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">}</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div></li><li><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="codeBlockContainer_I0IT language-bash theme-code-block"><div class="codeBlockContent_wNvx bash"><pre tabindex="0" class="prism-code language-bash codeBlock_jd64 thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">   --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">   --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span c
<script src="/oauth2-proxy/assets/js/runtime~main.355cac20.js"></script>
<script src="/oauth2-proxy/assets/js/main.a264f451.js"></script>
</body>
</html>