flagSet.String("http-address","127.0.0.1:4180","[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
flagSet.String("https-address",":443","<addr>:<port> to listen on for HTTPS clients")
flagSet.Bool("reverse-proxy",false,"are we running behind a reverse proxy, controls whether headers like X-Real-Ip are accepted")
flagSet.String("real-client-ip-header","X-Real-IP","Header used to determine the real IP of the client (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)")
flagSet.StringSlice("trusted-ip",[]string{},"list of IPs or CIDR ranges to allow to bypass authentication. WARNING: trusting by IP has inherent security flaws, read the configuration documentation for more information.")
flagSet.Bool("set-xauthrequest",false,"set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
flagSet.StringSlice("upstream",[]string{},"the http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path")
flagSet.Bool("pass-basic-auth",true,"pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.Bool("set-basic-auth",false,"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)")
flagSet.Bool("prefer-email-to-user",false,"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, eg. htaccess authentication. Used in conjunction with -pass-basic-auth and -pass-user-headers")
flagSet.Bool("pass-user-headers",true,"pass X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.String("basic-auth-password","","the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token",false,"pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header",true,"pass the request Host Header to upstream")
flagSet.Bool("pass-authorization-header",false,"pass the Authorization Header to upstream")
flagSet.Bool("set-authorization-header",false,"set Authorization response headers (useful in Nginx auth_request mode)")
flagSet.StringSlice("skip-auth-regex",[]string{},"bypass authentication for requests path's that match (may be given multiple times)")
flagSet.Bool("skip-auth-strip-headers",false,"strips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxy for request paths in --skip-auth-regex")
flagSet.Bool("skip-provider-button",false,"will skip sign-in-page to directly reach the next step: oauth/start")
flagSet.Bool("skip-auth-preflight",false,"will skip authentication for OPTIONS requests")
flagSet.Bool("ssl-insecure-skip-verify",false,"skip validation of certificates presented when using HTTPS providers")
flagSet.Bool("ssl-upstream-insecure-skip-verify",false,"skip validation of certificates presented when using HTTPS upstreams")
flagSet.Duration("flush-interval",time.Duration(1)*time.Second,"period between response flushing when streaming responses")
flagSet.Bool("skip-jwt-bearer-tokens",false,"will skip requests that have verified JWT bearer tokens (default false)")
flagSet.StringSlice("extra-jwt-issuers",[]string{},"if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)")
flagSet.StringSlice("email-domain",[]string{},"authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
flagSet.StringSlice("whitelist-domain",[]string{},"allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
flagSet.String("keycloak-group","","restrict login to members of this group.")
flagSet.String("azure-tenant","common","go to a tenant-specific or common (tenant-independent) endpoint.")
flagSet.String("bitbucket-team","","restrict logins to members of this team")
flagSet.String("bitbucket-repository","","restrict logins to user with access to this repository")
flagSet.String("github-org","","restrict logins to members of this organisation")
flagSet.String("github-team","","restrict logins to members of this team")
flagSet.String("github-repo","","restrict logins to collaborators of this repository")
flagSet.String("github-token","","the token to use when verifying repository collaborators (must have push access to the repository)")
flagSet.StringSlice("github-user",[]string{},"allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)")
flagSet.String("client-secret-file","","the file with OAuth Client Secret")
flagSet.String("authenticated-emails-file","","authenticate against emails via file (one per line)")
flagSet.String("htpasswd-file","","additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption")
flagSet.Bool("display-htpasswd-form",true,"display username / password login form if an htpasswd file is provided")
flagSet.String("custom-templates-dir","","path to custom html templates")
flagSet.String("banner","","custom banner string. Use \"-\" to disable default banner.")
flagSet.String("footer","","custom footer string. Use \"-\" to disable default footer.")
flagSet.String("proxy-prefix","/oauth2","the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
flagSet.String("ping-path","/ping","the ping endpoint that can be used for basic health checks")
flagSet.String("redis-connection-url","","URL of redis server for redis session storage (eg: redis://HOST[:PORT])")
flagSet.Bool("redis-use-sentinel",false,"Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature")
flagSet.String("redis-sentinel-master-name","","Redis sentinel master name. Used in conjunction with --redis-use-sentinel")
flagSet.String("redis-ca-path","","Redis custom CA path")
flagSet.Bool("redis-insecure-skip-tls-verify",false,"Use insecure TLS connection to redis")
flagSet.StringSlice("redis-sentinel-connection-urls",[]string{},"List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel")
flagSet.Bool("redis-use-cluster",false,"Connect to redis cluster. Must set --redis-cluster-connection-urls to use this feature")
flagSet.StringSlice("redis-cluster-connection-urls",[]string{},"List of Redis cluster connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster")
flagSet.StringSlice("provider-ca-file",[]string{},"One or more paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.")
flagSet.String("jwt-key","","private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov")
flagSet.String("jwt-key-file","","path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov")
flagSet.String("pubjwk-url","","JWK pubkey access endpoint: required by login.gov")
