flagSet.String("http-address","127.0.0.1:4180","[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
flagSet.String("https-address",":443","<addr>:<port> to listen on for HTTPS clients")
flagSet.Bool("reverse-proxy",false,"are we running behind a reverse proxy, controls whether headers like X-Real-Ip are accepted")
flagSet.String("real-client-ip-header","X-Real-IP","Header used to determine the real IP of the client (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)")
flagSet.Bool("force-https",false,"force HTTPS redirect for HTTP requests")
flagSet.String("tls-cert-file","","path to certificate file")
flagSet.String("tls-key-file","","path to private key file")
flagSet.Bool("set-xauthrequest",false,"set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
flagSet.StringSlice("upstream",[]string{},"the http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path")
flagSet.Bool("pass-basic-auth",true,"pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.Bool("set-basic-auth",false,"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)")
flagSet.Bool("prefer-email-to-user",false,"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, eg. htaccess authentication. Used in conjunction with -pass-basic-auth and -pass-user-headers")
flagSet.Bool("pass-user-headers",true,"pass X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.String("basic-auth-password","","the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token",false,"pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header",true,"pass the request Host Header to upstream")
flagSet.Bool("pass-authorization-header",false,"pass the Authorization Header to upstream")
flagSet.Bool("set-authorization-header",false,"set Authorization response headers (useful in Nginx auth_request mode)")
flagSet.StringSlice("skip-auth-regex",[]string{},"bypass authentication for requests path's that match (may be given multiple times)")
flagSet.Bool("skip-provider-button",false,"will skip sign-in-page to directly reach the next step: oauth/start")
flagSet.Bool("skip-auth-preflight",false,"will skip authentication for OPTIONS requests")
flagSet.Bool("ssl-insecure-skip-verify",false,"skip validation of certificates presented when using HTTPS providers")
flagSet.Bool("ssl-upstream-insecure-skip-verify",false,"skip validation of certificates presented when using HTTPS upstreams")
flagSet.Duration("flush-interval",time.Duration(1)*time.Second,"period between response flushing when streaming responses")
flagSet.Bool("skip-jwt-bearer-tokens",false,"will skip requests that have verified JWT bearer tokens (default false)")
flagSet.StringSlice("extra-jwt-issuers",[]string{},"if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)")
flagSet.StringSlice("email-domain",[]string{},"authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
flagSet.StringSlice("whitelist-domain",[]string{},"allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
flagSet.String("keycloak-group","","restrict login to members of this group.")
flagSet.String("azure-tenant","common","go to a tenant-specific or common (tenant-independent) endpoint.")
flagSet.String("bitbucket-team","","restrict logins to members of this team")
flagSet.String("bitbucket-repository","","restrict logins to user with access to this repository")
flagSet.String("github-org","","restrict logins to members of this organisation")
flagSet.String("github-team","","restrict logins to members of this team")
flagSet.String("github-repo","","restrict logins to collaborators of this repository")
flagSet.String("github-token","","the token to use when verifying repository collaborators (must have push access to the repository)")
flagSet.StringSlice("github-user",[]string{},"allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)")
flagSet.String("client-secret-file","","the file with OAuth Client Secret")
flagSet.String("authenticated-emails-file","","authenticate against emails via file (one per line)")
flagSet.String("htpasswd-file","","additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption")
flagSet.Bool("display-htpasswd-form",true,"display username / password login form if an htpasswd file is provided")
flagSet.String("custom-templates-dir","","path to custom html templates")
flagSet.String("banner","","custom banner string. Use \"-\" to disable default banner.")
flagSet.String("footer","","custom footer string. Use \"-\" to disable default footer.")
flagSet.String("proxy-prefix","/oauth2","the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
flagSet.String("ping-path","/ping","the ping endpoint that can be used for basic health checks")
flagSet.String("cookie-name","_oauth2_proxy","the name of the cookie that the oauth_proxy creates")
flagSet.String("cookie-secret","","the seed string for secure cookies (optionally base64 encoded)")
flagSet.StringSlice("cookie-domain",[]string{},"Optional cookie domains to force cookies to (ie: `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).")
flagSet.String("cookie-path","/","an optional cookie path to force cookies to (ie: /poc/)*")
flagSet.Duration("cookie-expire",time.Duration(168)*time.Hour,"expire timeframe for cookie")
flagSet.Duration("cookie-refresh",time.Duration(0),"refresh the cookie after this duration; 0 to disable")
flagSet.String("session-store-type","cookie","the session storage provider to use")
flagSet.String("redis-connection-url","","URL of redis server for redis session storage (eg: redis://HOST[:PORT])")
flagSet.Bool("redis-use-sentinel",false,"Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature")
flagSet.String("redis-sentinel-master-name","","Redis sentinel master name. Used in conjunction with --redis-use-sentinel")
flagSet.String("redis-ca-path","","Redis custom CA path")
flagSet.Bool("redis-insecure-skip-tls-verify",false,"Use insecure TLS connection to redis")
flagSet.StringSlice("redis-sentinel-connection-urls",[]string{},"List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel")
flagSet.Bool("redis-use-cluster",false,"Connect to redis cluster. Must set --redis-cluster-connection-urls to use this feature")
flagSet.StringSlice("redis-cluster-connection-urls",[]string{},"List of Redis cluster connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster")
flagSet.String("jwt-key","","private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov")
flagSet.String("jwt-key-file","","path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov")
flagSet.String("pubjwk-url","","JWK pubkey access endpoint: required by login.gov")
