2019-03-26 18:04:59 +02:00
|
|
|
---
|
|
|
|
layout: default
|
|
|
|
title: TLS Configuration
|
|
|
|
permalink: /tls-configuration
|
|
|
|
nav_order: 4
|
|
|
|
---
|
|
|
|
|
|
|
|
## SSL Configuration
|
|
|
|
|
|
|
|
There are two recommended configurations.
|
|
|
|
|
2019-07-17 10:58:11 +02:00
|
|
|
1. Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert-file=/path/to/cert.pem` and `--tls-key-file=/path/to/cert.key`.
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2020-03-29 15:54:36 +02:00
|
|
|
The command line to run `oauth2-proxy` in this configuration would look like this:
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2019-08-11 06:46:13 +02:00
|
|
|
```bash
|
2020-03-29 15:54:36 +02:00
|
|
|
./oauth2-proxy \
|
2019-08-11 06:46:13 +02:00
|
|
|
--email-domain="yourcompany.com" \
|
|
|
|
--upstream=http://127.0.0.1:8080/ \
|
|
|
|
--tls-cert-file=/path/to/cert.pem \
|
|
|
|
--tls-key-file=/path/to/cert.key \
|
|
|
|
--cookie-secret=... \
|
|
|
|
--cookie-secure=true \
|
|
|
|
--provider=... \
|
|
|
|
--client-id=... \
|
|
|
|
--client-secret=...
|
|
|
|
```
|
2019-03-26 18:04:59 +02:00
|
|
|
|
|
|
|
2. Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
|
|
|
|
|
2020-03-29 15:54:36 +02:00
|
|
|
Because `oauth2-proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an
|
2019-08-11 06:46:13 +02:00
|
|
|
external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or
|
|
|
|
`--http-address="http://:4180"`.
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2020-03-29 15:54:36 +02:00
|
|
|
Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2-proxy` on port `4180`.
|
|
|
|
`oauth2-proxy` will then authenticate requests for an upstream application. The external endpoint for this example
|
2019-08-11 06:46:13 +02:00
|
|
|
would be `https://internal.yourcompany.com/`.
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2019-08-11 06:46:13 +02:00
|
|
|
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
|
|
|
|
via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2019-08-11 06:46:13 +02:00
|
|
|
```
|
|
|
|
server {
|
|
|
|
listen 443 default ssl;
|
|
|
|
server_name internal.yourcompany.com;
|
|
|
|
ssl_certificate /path/to/cert.pem;
|
|
|
|
ssl_certificate_key /path/to/cert.key;
|
|
|
|
add_header Strict-Transport-Security max-age=2592000;
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2019-08-11 06:46:13 +02:00
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:4180;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Scheme $scheme;
|
|
|
|
proxy_connect_timeout 1;
|
|
|
|
proxy_send_timeout 30;
|
|
|
|
proxy_read_timeout 30;
|
|
|
|
}
|
2019-03-26 18:04:59 +02:00
|
|
|
}
|
2019-08-11 06:46:13 +02:00
|
|
|
```
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2020-03-29 15:54:36 +02:00
|
|
|
The command line to run `oauth2-proxy` in this configuration would look like this:
|
2019-03-26 18:04:59 +02:00
|
|
|
|
2019-08-11 06:46:13 +02:00
|
|
|
```bash
|
2020-03-29 15:54:36 +02:00
|
|
|
./oauth2-proxy \
|
2019-08-11 06:46:13 +02:00
|
|
|
--email-domain="yourcompany.com" \
|
|
|
|
--upstream=http://127.0.0.1:8080/ \
|
|
|
|
--cookie-secret=... \
|
|
|
|
--cookie-secure=true \
|
|
|
|
--provider=... \
|
2020-01-24 19:54:13 +02:00
|
|
|
--reverse-proxy=true \
|
2019-08-11 06:46:13 +02:00
|
|
|
--client-id=... \
|
|
|
|
--client-secret=...
|
|
|
|
```
|