## SSL Configuration
There are two recommended configurations.
1. Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert=/path/to/cert.pem` and `--tls-key=/path/to/cert.key`.
The command line to run `oauth2_proxy` in this configuration would look like this:
./oauth2_proxy \
--email-domain="yourcompany.com" \
--upstream= \
--tls-cert=/path/to/cert.pem \
--tls-key=/path/to/cert.key \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=...
2. Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
+Because `oauth2_proxy` listens on `` by default, to listen on all interfaces (needed when using an
`--http-address=""`.
+Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`.
would be `https://internal.yourcompany.com/`.
+would be `https://internal.yourcompany.com/`.
via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
server {
+server {
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass;
+ proxy_pass;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}
+ }
./oauth2_proxy \
+./oauth2_proxy \
--upstream= \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=...
+ --client-secret=...
## Endpoint Documentation
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
- /ping - returns a 200 OK response, which is intended for use with health checks
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
- /oauth2/start - a URL that will redirect to start the OAuth cycle
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
- /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the [Nginx `auth_request` directive](#nginx-auth-request)
## Request signatures
+If `signature_key` is defined, proxied requests will be signed with the
of selected request information and the request body [see `SIGNATURE_HEADERS`
in `oauthproxy.go`](./oauthproxy.go).
+in `oauthproxy.go`](./oauthproxy.go).
For more information about HMAC request signature validation, read the
following:
- [Amazon Web Services: Signing and Authenticating REST
Requests](https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html)
- [rc3.org: Using HMAC to authenticate Web service
+- [rc3.org: Using HMAC to authenticate Web service
+ requests](http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/)
+ {% for page in site.html_pages %}"{{ forloop.index0 }}": {
+ "id": "{{ forloop.index0 }}",
+ "title": "{{ page.title | xml_escape }}",
+ "content": "{{ page.content | markdownify | strip_html | xml_escape | remove: 'Table of contents' | strip_newlines | replace: '\', ' ' }}",
+ "url": "{{ page.url | absolute_url | xml_escape }}",
+ "relUrl": "{{ page.url | xml_escape }}"
+ }{% if forloop.last %}{% else %},
+ {% endif %}{% endfor %}