oauth2-proxy/585bdad0.ccaae809.js

(window.webpackJsonp=window.webpackJsonp||[]).push([[15],{72:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return i})),n.d(t,"metadata",(function(){return c})),n.d(t,"rightToc",(function(){return p})),n.d(t,"default",(function(){return s}));var r=n(2),o=n(6),a=(n(0),n(95)),i={id:"tls",title:"TLS Configuration"},c={unversionedId:"configuration/tls",id:"configuration/tls",isDocsHomePage:!1,title:"TLS Configuration",description:"There are two recommended configurations.",source:"@site/docs/configuration/tls.md",slug:"/configuration/tls",permalink:"/oauth2-proxy/docs/next/configuration/tls",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/tls.md",version:"current",sidebar:"docs",previous:{title:"Session Storage",permalink:"/oauth2-proxy/docs/next/configuration/session_storage"},next:{title:"Alpha Configuration",permalink:"/oauth2-proxy/docs/next/configuration/alpha-config"}},p=[],l={rightToc:p};function s(e){var t=e.components,n=Object(o.a)(e,["components"]);return Object(a.b)("wrapper",Object(r.a)({},l,n,{components:t,mdxType:"MDXLayout"}),Object(a.b)("p",null,"There are two recommended configurations."),Object(a.b)("ol",null,Object(a.b)("li",{parentName:"ol"},Object(a.b)("p",{parentName:"li"},"Configure SSL Termination with OAuth2 Proxy by providing a ",Object(a.b)("inlineCode",{parentName:"p"},"--tls-cert-file=/path/to/cert.pem")," and ",Object(a.b)("inlineCode",{parentName:"p"},"--tls-key-file=/path/to/cert.key"),"."),Object(a.b)("p",{parentName:"li"},"The command line to run ",Object(a.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," in this configuration would look like this:"),Object(a.b)("pre",{parentName:"li"},Object(a.b)("code",Object(r.a)({parentName:"pre"},{className:"language-bash"}),'./oauth2-proxy \\\n    --email-domain="yourcompany.com"  \\\n    --upstream=http://127.0.0.1:8080/ \\\n    --tls-cert-file=/path/to/cert.pem \\\n    --tls-key-file=/path/to/cert.key \\\n    --cookie-secret=... \\\n    --cookie-secure=true \\\n    --provider=... \\\n    --client-id=... \\\n    --client-secret=...\n'))),Object(a.b)("li",{parentName:"ol"},Object(a.b)("p",{parentName:"li"},"Configure SSL Termination with ",Object(a.b)("a",Object(r.a)({parentName:"p"},{href:"http://nginx.org/"}),"Nginx")," (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...."),Object(a.b)("p",{parentName:"li"},"Because ",Object(a.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," listens on ",Object(a.b)("inlineCode",{parentName:"p"},"127.0.0.1:4180")," by default, to listen on all interfaces (needed when using an\nexternal load balancer like Amazon ELB or Google Platform Load Balancing) use ",Object(a.b)("inlineCode",{parentName:"p"},'--http-address="0.0.0.0:4180"')," or\n",Object(a.b)("inlineCode",{parentName:"p"},'--http-address="http://:4180"'),"."),Object(a.b)("p",{parentName:"li"},"Nginx will listen on port ",Object(a.b)("inlineCode",{parentName:"p"},"443")," and handle SSL connections while proxying to ",Object(a.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," on port ",Object(a.b)("inlineCode",{parentName:"p"},"4180"),".\n",Object(a.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," will then authenticate requests for an upstream application. The external endpoint for this example\nwould be ",Object(a.b)("inlineCode",{parentName:"p"},"https://internal.yourcompany.com/"),"."),Object(a.b)("p",{parentName:"li"},"An example Nginx config follows. Note the use of ",Object(a.b)("inlineCode",{parentName:"p"},"Strict-Transport-Security")," header to pin requests to SSL\nvia ",Object(a.b)("a",Object(r.a)({parentName:"p"},{href:"http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"}),"HSTS"),":"),Object(a.b)("pre",{parentName:"li"},Object(a.b)("code",Object(r.a)({parentName:"pre"},{}),"server {\n    listen 443 default ssl;\n    server_name internal.yourcompany.com;\n    ssl_certificate /path/to/cert.pem;\n    ssl_certificate_key /path/to/cert.key;\n    add_header Strict-Transport-Security max-age=2592000;\n\n    location / {\n        proxy_pass http://1