Add nginx test environment to demonstrate protecting multiple subdomains

Makefile

@@ -88,6 +88,11 @@ validate-go-version:
 	fi
 
 # local-env can be used to interact with the local development environment
+# eg:
+#    make local-env-up 					# Bring up a basic test environment
+#    make local-env-down 				# Tear down the basic test environment
+#    make local-env-nginx-up 		# Bring up an nginx based test environment
+#    make local-env-nginx-down 	# Tead down the nginx based test environment
 .PHONY: local-env-%
 local-env-%:
 	make -C contrib/local-environment $*

contrib/local-environment/Makefile

@@ -5,3 +5,11 @@ up:
 .PHONY: %
 %:
 	docker-compose $*
+
+.PHONY: nginx-up
+nginx-up:
+	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
+
+.PHONY: nginx-%
+nginx-%:
+	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*

contrib/local-environment/dex.yaml

@@ -18,7 +18,9 @@ expiry:
 staticClients:
 - id: oauth2-proxy
   redirectURIs:
-  - 'http://localhost:4180/oauth2/callback'
+  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
+  - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
+  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
   name: 'OAuth2 Proxy'
   secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true

contrib/local-environment/docker-compose-nginx.yaml

@@ -0,0 +1,43 @@
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
+# etcd for storage for Dex, nginx as a reverse proxy and other http services for upstreams
+#
+# This file is an extension of the main compose file and must be used with it
+#    docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml <command>
+# Alternatively:
+#    make nginx-<command> (eg make nginx-up, make nginx-down)
+#
+# Access one of the following URLs to initiate a login flow:
+#    - http://oauth2-proxy.localhost
+#    - http://httpbin.oauth2-proxy.localhost
+#
+# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
+#
+# Note, the above URLs should work with Chrome, but you may need to add hosts
+# entries for other browsers
+#    127.0.0.1 oauth2-proxy.localhost
+#    127.0.0.1 httpbin.oauth2-proxy.localhost
+#    127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
+version: '3.0'
+services:
+  oauth2-proxy:
+    ports: []
+    hostname: oauth2-proxy
+    volumes:
+      - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
+    networks:
+      oauth2-proxy: {}
+  nginx:
+    container_name: nginx
+    image: nginx:1.18
+    ports:
+      - 80:80/tcp
+    hostname: nginx
+    volumes:
+      - "./nginx.conf:/etc/nginx/conf.d/default.conf"
+    networks:
+      oauth2-proxy: {}
+      httpbin: {}
+networks:
+  oauth2-proxy: {}

contrib/local-environment/nginx.conf

@@ -0,0 +1,84 @@
+# Reverse proxy to oauth2-proxy
+server {
+  listen       80;
+  server_name  oauth2-proxy.oauth2-proxy.localhost;
+
+  location / {
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}
+
+# Reverse proxy to httpbin
+server {
+  listen      80;
+  server_name httpbin.oauth2-proxy.localhost;
+
+  auth_request /internal-auth/oauth2/auth;
+
+  # If the auth_request denies the request (401), redirect to the sign_in page
+  # and include the final rd URL back to the user's original request.
+  error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+  # Alternatively send the request to `start` to skip the provider button
+  # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+  location / {
+    proxy_pass http://httpbin/;
+  }
+
+  # auth_request must be a URI so this allows an internal path to then proxy to
+  # the real auth_request path.
+  # The trailing /'s are required so that nginx strips the prefix before proxying.
+  location /internal-auth/ {
+    internal; # Ensure external users can't access this path
+
+    # Make sure the OAuth2 Proxy knows where the original request came from.
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}
+
+# Statically serve the nginx welcome
+server {
+  listen       80;
+  server_name  oauth2-proxy.localhost;
+
+  location / {
+    auth_request /internal-auth/oauth2/auth;
+
+    # If the auth_request denies the request (401), redirect to the sign_in page
+    # and include the final rd URL back to the user's original request.
+    error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;
+
+    # Alternatively send the request to `start` to skip the provider button
+    # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;
+
+
+    root   /usr/share/nginx/html;
+    index  index.html index.htm;
+  }
+
+  # redirect server error pages to the static page /50x.html
+  error_page   500 502 503 504  /50x.html;
+  location = /50x.html {
+    root   /usr/share/nginx/html;
+  }
+
+  # auth_request must be a URI so this allows an internal path to then proxy to
+  # the real auth_request path.
+  # The trailing /'s are required so that nginx strips the prefix before proxying.
+  location /internal-auth/ {
+    internal; # Ensure external users can't access this path
+
+    # Make sure the OAuth2 Proxy knows where the original request came from.
+    proxy_set_header Host       $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+
+    proxy_pass http://oauth2-proxy:4180/;
+  }
+}

contrib/local-environment/oauth2-proxy-nginx.cfg

@@ -0,0 +1,12 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+provider="oidc"
+email_domains="example.com"
+oidc_issuer_url="http://dex.localhost:4190/dex"
+client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+client_id="oauth2-proxy"
+cookie_secure="false"
+
+redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
+cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
+whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.

contrib/local-environment/oauth2-proxy.cfg

@@ -1,5 +1,4 @@
 http_address="0.0.0.0:4180"
-redirect_url="http://localhost:4180/oauth2/callback"
 cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
 provider="oidc"
 email_domains="example.com"
@@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex"
 client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
 client_id="oauth2-proxy"
 cookie_secure="false"
+
+redirect_url="http://localhost:4180/oauth2/callback"
 upstreams="http://httpbin"