oauth2-proxy/contrib/local-environment/oauth2-proxy-traefik.cfg

http_address="0.0.0.0:4180"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
provider="oidc"
email_domains=["example.com"]
oidc_issuer_url="http://dex.localhost:5556/dex"
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy"
cookie_secure="false"

redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.

# Mandatory option when using oauth2-proxy with traefik
reverse_proxy="true"
# Required for traefik with ForwardAuth and static upstream configuration
upstreams="static://202"
# The following option skip the page requesting the user
# to click on a button to be redirected to the identity provider
# It can be activated only when traefik is not configure with
# the error redirection middleware as this example.
skip_provider_button="true"
Add example local environment with traefik (#1091) * Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2021-03-22 14:55:25 +01:00			`http_address="0.0.0.0:4180"`
			`cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="`
			`provider="oidc"`
			`email_domains=["example.com"]`
Fix local-environment ports (#3136) * Change Dex port in local-environment from 4190 to 5556 Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking. Port 5556 is used by Dex in its example config files: https://github.com/dexidp/dex/blob/745e1114f341e849f3b0edde45b39c14017deaf8/examples/config-dev.yaml#L50 * Fix upstream in local-environment/oauth2-proxy.cfg http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network. Causes Bad Gateway before. * Do not expose unauthenticated httpbin service in local-environment This defeats the point of having oauth2-proxy. It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091. It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place. * Remove unnecessary httpbin.localtest.me alias from local-environment 2025-07-20 21:32:50 +03:00			`oidc_issuer_url="http://dex.localhost:5556/dex"`
Add example local environment with traefik (#1091) * Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2021-03-22 14:55:25 +01:00			`client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"`
			`client_id="oauth2-proxy"`
			`cookie_secure="false"`

			`redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"`
			`cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.`
			`whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.`

			`# Mandatory option when using oauth2-proxy with traefik`
			`reverse_proxy="true"`
Fix local-environment ports (#3136) * Change Dex port in local-environment from 4190 to 5556 Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking. Port 5556 is used by Dex in its example config files: https://github.com/dexidp/dex/blob/745e1114f341e849f3b0edde45b39c14017deaf8/examples/config-dev.yaml#L50 * Fix upstream in local-environment/oauth2-proxy.cfg http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network. Causes Bad Gateway before. * Do not expose unauthenticated httpbin service in local-environment This defeats the point of having oauth2-proxy. It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091. It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place. * Remove unnecessary httpbin.localtest.me alias from local-environment 2025-07-20 21:32:50 +03:00			`# Required for traefik with ForwardAuth and static upstream configuration`
Add example local environment with traefik (#1091) * Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2021-03-22 14:55:25 +01:00			`upstreams="static://202"`
			`# The following option skip the page requesting the user`
			`# to click on a button to be redirected to the identity provider`
			`# It can be activated only when traefik is not configure with`
			`# the error redirection middleware as this example.`
			`skip_provider_button="true"`