From afef9c758893ab16cdc9e8ebbaf57009409e208d Mon Sep 17 00:00:00 2001
From: Joel Speed <joel.speed@hotmail.co.uk>
Date: Thu, 7 May 2020 22:59:43 +0100
Subject: [PATCH] Add nginx test environment to demonstrate protecting multiple
 subdomains

---
 Makefile                                      |  5 ++
 contrib/local-environment/Makefile            |  8 ++
 contrib/local-environment/dex.yaml            |  4 +-
 .../docker-compose-nginx.yaml                 | 43 ++++++++++
 contrib/local-environment/nginx.conf          | 84 +++++++++++++++++++
 .../local-environment/oauth2-proxy-nginx.cfg  | 12 +++
 contrib/local-environment/oauth2-proxy.cfg    |  3 +-
 7 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 contrib/local-environment/docker-compose-nginx.yaml
 create mode 100644 contrib/local-environment/nginx.conf
 create mode 100644 contrib/local-environment/oauth2-proxy-nginx.cfg

diff --git a/Makefile b/Makefile
index a2712ff4..ba58b354 100644
--- a/Makefile
+++ b/Makefile
@@ -88,6 +88,11 @@ validate-go-version:
 	fi
 
 # local-env can be used to interact with the local development environment
+# eg:
+#    make local-env-up 					# Bring up a basic test environment
+#    make local-env-down 				# Tear down the basic test environment
+#    make local-env-nginx-up 		# Bring up an nginx based test environment
+#    make local-env-nginx-down 	# Tead down the nginx based test environment
 .PHONY: local-env-%
 local-env-%:
 	make -C contrib/local-environment $*
diff --git a/contrib/local-environment/Makefile b/contrib/local-environment/Makefile
index 3b26b68d..0cfeaa66 100644
--- a/contrib/local-environment/Makefile
+++ b/contrib/local-environment/Makefile
@@ -5,3 +5,11 @@ up:
 .PHONY: %
 %:
 	docker-compose $*
+
+.PHONY: nginx-up
+nginx-up:
+	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
+
+.PHONY: nginx-%
+nginx-%:
+	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml
index 34946304..40a8bed0 100644
--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@@ -18,7 +18,9 @@ expiry:
 staticClients:
 - id: oauth2-proxy
   redirectURIs:
-  - 'http://localhost:4180/oauth2/callback'
+  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
+  - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
+  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
   name: 'OAuth2 Proxy'
   secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true
diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml
new file mode 100644
index 00000000..af6c587b
--- /dev/null
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@@ -0,0 +1,43 @@
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
+# etcd for storage for Dex, nginx as a reverse proxy and other http services for upstreams
+#
+# This file is an extension of the main compose file and must be used with it
+#    docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml <command>
+# Alternatively:
+#    make nginx-<command> (eg make nginx-up, make nginx-down)
+#
+# Access one of the following URLs to initiate a login flow:
+#    - http://oauth2-proxy.localhost
+#    - http://httpbin.oauth2-proxy.localhost
+#
+# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
+#
+# Note, the above URLs should work with Chrome, but you may need to add hosts
+# entries for other browsers
+#    127.0.0.1 oauth2-proxy.localhost
+#    127.0.0.1 httpbin.oauth2-proxy.localhost
+#    127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
+version: '3.0'
+services:
+  oauth2-proxy:
+    ports: []
+    hostname: oauth2-proxy
+    volumes:
+      - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
+    networks:
+      oauth2-proxy: {}
+  nginx:
+    container_name: nginx
+    image: nginx:1.18
+    ports:
+      - 80:80/tcp
+    hostname: nginx
+    volumes:
+      - "./nginx.conf:/etc/nginx/conf.d/default.conf"
+    networks:
+      oauth2-proxy: {}
+      httpbin: {}
+networks:
+  oauth2-proxy: {}
diff --git a/contrib/local-environment/nginx.conf b/contrib/local-environment/nginx.conf
new file mode 100644
index 00000000..877c213e
--- /dev/null
+++ b/contrib/local-environment/nginx.conf
@@ -0,0 +1,84 @@
+# Reverse proxy to oauth2-proxy
+server {
+  listen       80;
+  server_name  oauth2-proxy.oauth2-proxy.localhost;
+
+  location / {
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}
+
+# Reverse proxy to httpbin
+server {
+  listen      80;
+  server_name httpbin.oauth2-proxy.localhost;
+
+  auth_request /internal-auth/oauth2/auth;
+
+  # If the auth_request denies the request (401), redirect to the sign_in page
+  # and include the final rd URL back to the user's original request.
+  error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+  # Alternatively send the request to `start` to skip the provider button
+  # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+  location / {
+    proxy_pass http://httpbin/;
+  }
+
+  # auth_request must be a URI so this allows an internal path to then proxy to
+  # the real auth_request path.
+  # The trailing /'s are required so that nginx strips the prefix before proxying.
+  location /internal-auth/ {
+    internal; # Ensure external users can't access this path
+
+    # Make sure the OAuth2 Proxy knows where the original request came from.
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}
+
+# Statically serve the nginx welcome
+server {
+  listen       80;
+  server_name  oauth2-proxy.localhost;
+
+  location / {
+    auth_request /internal-auth/oauth2/auth;
+
+    # If the auth_request denies the request (401), redirect to the sign_in page
+    # and include the final rd URL back to the user's original request.
+    error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+    # Alternatively send the request to `start` to skip the provider button
+    # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+
+    root   /usr/share/nginx/html;
+    index  index.html index.htm;
+  }
+
+  # redirect server error pages to the static page /50x.html
+  error_page   500 502 503 504  /50x.html;
+  location = /50x.html {
+    root   /usr/share/nginx/html;
+  }
+
+  # auth_request must be a URI so this allows an internal path to then proxy to
+  # the real auth_request path.
+  # The trailing /'s are required so that nginx strips the prefix before proxying.
+  location /internal-auth/ {
+    internal; # Ensure external users can't access this path
+
+    # Make sure the OAuth2 Proxy knows where the original request came from.
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}
diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg
new file mode 100644
index 00000000..6ba5623a
--- /dev/null
+++ b/contrib/local-environment/oauth2-proxy-nginx.cfg
@@ -0,0 +1,12 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+provider="oidc"
+email_domains="example.com"
+oidc_issuer_url="http://dex.localhost:4190/dex"
+client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+client_id="oauth2-proxy"
+cookie_secure="false"
+
+redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
+cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
+whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
diff --git a/contrib/local-environment/oauth2-proxy.cfg b/contrib/local-environment/oauth2-proxy.cfg
index beb8c900..7ee55d8f 100644
--- a/contrib/local-environment/oauth2-proxy.cfg
+++ b/contrib/local-environment/oauth2-proxy.cfg
@@ -1,5 +1,4 @@
 http_address="0.0.0.0:4180"
-redirect_url="http://localhost:4180/oauth2/callback"
 cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
 provider="oidc"
 email_domains="example.com"
@@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex"
 client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
 client_id="oauth2-proxy"
 cookie_secure="false"
+
+redirect_url="http://localhost:4180/oauth2/callback"
 upstreams="http://httpbin"