From bd8bfe021de14d69c8fe3accfb20a9a446d3f28a Mon Sep 17 00:00:00 2001 From: gh-actions Date: Sun, 11 Sep 2022 15:11:11 +0000 Subject: [PATCH] Deploy website - based on 965fab422d6cd30411a6ee85a34532b276284289 --- 404.html | 4 ++-- assets/js/0f425520.33366640.js | 1 + assets/js/0f425520.77916554.js | 1 - .../{runtime~main.c2648406.js => runtime~main.d94296bf.js} | 2 +- blog/archive/index.html | 4 ++-- docs/6.1.x/behaviour/index.html | 4 ++-- docs/6.1.x/community/security/index.html | 4 ++-- docs/6.1.x/configuration/oauth_provider/index.html | 4 ++-- docs/6.1.x/configuration/overview/index.html | 4 ++-- docs/6.1.x/configuration/session_storage/index.html | 4 ++-- docs/6.1.x/configuration/tls/index.html | 4 ++-- docs/6.1.x/features/endpoints/index.html | 4 ++-- docs/6.1.x/features/request_signatures/index.html | 4 ++-- docs/6.1.x/index.html | 4 ++-- docs/7.0.x/behaviour/index.html | 4 ++-- docs/7.0.x/community/security/index.html | 4 ++-- docs/7.0.x/configuration/alpha-config/index.html | 4 ++-- docs/7.0.x/configuration/oauth_provider/index.html | 4 ++-- docs/7.0.x/configuration/overview/index.html | 4 ++-- docs/7.0.x/configuration/session_storage/index.html | 4 ++-- docs/7.0.x/configuration/tls/index.html | 4 ++-- docs/7.0.x/features/endpoints/index.html | 4 ++-- docs/7.0.x/features/request_signatures/index.html | 4 ++-- docs/7.0.x/index.html | 4 ++-- docs/7.1.x/behaviour/index.html | 4 ++-- docs/7.1.x/community/security/index.html | 4 ++-- docs/7.1.x/configuration/alpha-config/index.html | 4 ++-- docs/7.1.x/configuration/oauth_provider/index.html | 4 ++-- docs/7.1.x/configuration/overview/index.html | 4 ++-- docs/7.1.x/configuration/session_storage/index.html | 4 ++-- docs/7.1.x/configuration/tls/index.html | 4 ++-- docs/7.1.x/features/endpoints/index.html | 4 ++-- docs/7.1.x/index.html | 4 ++-- docs/7.2.x/behaviour/index.html | 4 ++-- docs/7.2.x/community/security/index.html | 4 ++-- docs/7.2.x/configuration/alpha-config/index.html | 4 ++-- docs/7.2.x/configuration/oauth_provider/index.html | 4 ++-- docs/7.2.x/configuration/overview/index.html | 4 ++-- docs/7.2.x/configuration/session_storage/index.html | 4 ++-- docs/7.2.x/configuration/tls/index.html | 4 ++-- docs/7.2.x/features/endpoints/index.html | 4 ++-- docs/7.2.x/index.html | 4 ++-- docs/behaviour/index.html | 4 ++-- docs/community/security/index.html | 4 ++-- docs/configuration/alpha-config/index.html | 4 ++-- docs/configuration/oauth_provider/index.html | 4 ++-- docs/configuration/overview/index.html | 4 ++-- docs/configuration/session_storage/index.html | 4 ++-- docs/configuration/tls/index.html | 4 ++-- docs/features/endpoints/index.html | 4 ++-- docs/index.html | 4 ++-- docs/next/behaviour/index.html | 4 ++-- docs/next/community/security/index.html | 4 ++-- docs/next/configuration/alpha-config/index.html | 4 ++-- docs/next/configuration/oauth_provider/index.html | 4 ++-- docs/next/configuration/overview/index.html | 6 +++--- docs/next/configuration/session_storage/index.html | 4 ++-- docs/next/configuration/tls/index.html | 4 ++-- docs/next/features/endpoints/index.html | 4 ++-- docs/next/index.html | 4 ++-- index.html | 4 ++-- 61 files changed, 119 insertions(+), 119 deletions(-) create mode 100644 assets/js/0f425520.33366640.js delete mode 100644 assets/js/0f425520.77916554.js rename assets/js/{runtime~main.c2648406.js => runtime~main.d94296bf.js} (99%) diff --git a/404.html b/404.html index 2a66625c..712618cb 100644 --- a/404.html +++ b/404.html @@ -5,13 +5,13 @@ Page Not Found | OAuth2 Proxy - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/assets/js/0f425520.33366640.js b/assets/js/0f425520.33366640.js new file mode 100644 index 00000000..3c38a527 --- /dev/null +++ b/assets/js/0f425520.33366640.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[7240],{3905:function(t,e,n){n.d(e,{Zo:function(){return s},kt:function(){return k}});var a=n(7294);function r(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function l(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(t);e&&(a=a.filter((function(e){return Object.getOwnPropertyDescriptor(t,e).enumerable}))),n.push.apply(n,a)}return n}function i(t){for(var e=1;e=0||(r[n]=t[n]);return r}(t,e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(t);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(t,n)&&(r[n]=t[n])}return r}var d=a.createContext({}),p=function(t){var e=a.useContext(d),n=e;return t&&(n="function"==typeof t?t(e):i(i({},e),t)),n},s=function(t){var e=p(t.components);return a.createElement(d.Provider,{value:e},t.children)},m={inlineCode:"code",wrapper:function(t){var e=t.children;return a.createElement(a.Fragment,{},e)}},u=a.forwardRef((function(t,e){var n=t.components,r=t.mdxType,l=t.originalType,d=t.parentName,s=o(t,["components","mdxType","originalType","parentName"]),u=p(n),k=r,g=u["".concat(d,".").concat(k)]||u[k]||m[k]||l;return n?a.createElement(g,i(i({ref:e},s),{},{components:n})):a.createElement(g,i({ref:e},s))}));function k(t,e){var n=arguments,r=e&&e.mdxType;if("string"==typeof t||r){var l=n.length,i=new Array(l);i[0]=u;var o={};for(var d in e)hasOwnProperty.call(e,d)&&(o[d]=e[d]);o.originalType=t,o.mdxType="string"==typeof t?t:r,i[1]=o;for(var p=2;p child <"+("string"==typeof t.type?t.type:t.type.name)+'>: all children of the component should be , and every should have a unique "value" prop.')})),h=null!=u?u:N.map((function(t){var e=t.props;return{value:e.value,label:e.label,attributes:e.attributes}})),c=(0,i.lx)(h,(function(t,e){return t.value===e.value}));if(c.length>0)throw new Error('Docusaurus error: Duplicate values "'+c.map((function(t){return t.value})).join(", ")+'" found in . Every value needs to be unique.');var f=null===m?m:null!=(e=null!=m?m:null==(n=N.find((function(t){return t.props.default})))?void 0:n.props.value)?e:null==(l=N[0])?void 0:l.props.value;if(null!==f&&!h.some((function(t){return t.value===f})))throw new Error('Docusaurus error: The has a defaultValue "'+f+'" but none of its children has the corresponding value. Available values are: '+h.map((function(t){return t.value})).join(", ")+". If you intend to show no default tab, use defaultValue={null} instead.");var b=(0,i.UB)(),y=b.tabGroupChoices,v=b.setTabGroupChoices,C=(0,r.useState)(f),w=C[0],_=C[1],x=[],T=(0,i.o5)().blockElementScrollPositionUntilNextRender;if(null!=k){var q=y[k];null!=q&&q!==w&&h.some((function(t){return t.value===q}))&&_(q)}var S=function(t){var e=t.currentTarget,n=x.indexOf(e),a=h[n].value;a!==w&&(T(e),_(a),null!=k&&v(k,a))},R=function(t){var e,n=null;switch(t.key){case"ArrowRight":var a=x.indexOf(t.currentTarget)+1;n=x[a]||x[0];break;case"ArrowLeft":var r=x.indexOf(t.currentTarget)-1;n=x[r]||x[x.length-1]}null==(e=n)||e.focus()};return r.createElement("div",{className:"tabs-container"},r.createElement("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,o.Z)("tabs",{"tabs--block":s},g)},h.map((function(t){var e=t.value,n=t.label,l=t.attributes;return r.createElement("li",(0,a.Z)({role:"tab",tabIndex:w===e?0:-1,"aria-selected":w===e,key:e,ref:function(t){return x.push(t)},onKeyDown:R,onFocus:S,onClick:S},l,{className:(0,o.Z)("tabs__item",d,null==l?void 0:l.className,{"tabs__item--active":w===e})}),null!=n?n:e)}))),p?(0,r.cloneElement)(N.filter((function(t){return t.props.value===w}))[0],{className:"margin-vert--md"}):r.createElement("div",{className:"margin-vert--md"},N.map((function(t,e){return(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==w})}))))}function s(t){var e=(0,l.Z)();return r.createElement(p,(0,a.Z)({key:String(e)},t))}},4826:function(t,e,n){n.r(e),n.d(e,{frontMatter:function(){return p},contentTitle:function(){return s},metadata:function(){return m},toc:function(){return u},default:function(){return g}});var a=n(7462),r=n(3366),l=(n(7294),n(3905)),i=n(9877),o=n(8215),d=["components"],p={id:"overview",title:"Overview"},s=void 0,m={unversionedId:"configuration/overview",id:"configuration/overview",title:"Overview",description:"oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).",source:"@site/docs/configuration/overview.md",sourceDirName:"configuration",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",tags:[],version:"current",frontMatter:{id:"overview",title:"Overview"},sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},u=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[],level:3},{value:"Config File",id:"config-file",children:[],level:3},{value:"Command Line Options",id:"command-line-options",children:[],level:3},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[],level:3},{value:"Environment variables",id:"environment-variables",children:[],level:3},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[],level:3},{value:"Request Log Format",id:"request-log-format",children:[],level:3},{value:"Standard Log Format",id:"standard-log-format",children:[],level:3}],level:2},{value:"Configuring for use with the Nginx auth_request directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[],level:2},{value:"Configuring for use with the Traefik (v2) ForwardAuth middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[],level:3},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[],level:3}],level:2}],k={toc:u};function g(t){var e=t.components,n=(0,r.Z)(t,d);return(0,l.kt)("wrapper",(0,a.Z)({},k,n,{components:e,mdxType:"MDXLayout"}),(0,l.kt)("p",null,(0,l.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",(0,l.kt)("a",{parentName:"p",href:"#command-line-options"},"command line options"),", ",(0,l.kt)("a",{parentName:"p",href:"#environment-variables"},"environment variables")," or ",(0,l.kt)("a",{parentName:"p",href:"#config-file"},"config file")," (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."),(0,l.kt)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),(0,l.kt)("p",null,"To generate a strong cookie secret use one of the below commands:"),(0,l.kt)(i.Z,{defaultValue:"python",values:[{label:"Python",value:"python"},{label:"Bash",value:"bash"},{label:"OpenSSL",value:"openssl"},{label:"PowerShell",value:"powershell"},{label:"Terraform",value:"terraform"}],mdxType:"Tabs"},(0,l.kt)(o.Z,{value:"python",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'\n"))),(0,l.kt)(o.Z,{value:"bash",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\\n' | tr -- '+/' '-_'; echo\n"))),(0,l.kt)(o.Z,{value:"openssl",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"openssl rand -base64 32 | tr -- '+/' '-_'\n"))),(0,l.kt)(o.Z,{value:"powershell",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},'# Add System.Web assembly to session, just in case\nAdd-Type -AssemblyName System.Web\n[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")\n'))),(0,l.kt)(o.Z,{value:"terraform",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},'# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret\nresource "random_password" "cookie_secret" {\n length = 32\n override_special = "-_"\n}\n')))),(0,l.kt)("h3",{id:"config-file"},"Config File"),(0,l.kt)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),(0,l.kt)("p",null,"An example ",(0,l.kt)("a",{parentName:"p",href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"},"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",(0,l.kt)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),(0,l.kt)("h3",{id:"command-line-options"},"Command Line Options"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Option"),(0,l.kt)("th",{parentName:"tr",align:null},"Type"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"),(0,l.kt)("th",{parentName:"tr",align:null},"Default"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--acr-values")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"optional, see ",(0,l.kt)("a",{parentName:"td",href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"},"docs")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--api-route")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"return HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--approval-prompt")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth approval_prompt"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"force"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--auth-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log authentication attempts"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--auth-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for authentication log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"authenticate against emails via file (one per line)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--azure-tenant")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"go to a tenant-specific or common (tenant-independent) endpoint."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"common"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--basic-auth-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the password to set when passing the HTTP Basic Auth header"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-id")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Client ID, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-secret")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Client Secret"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-secret-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the file with OAuth Client Secret"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--code-challenge-method")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--config")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to config file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Optional cookie domains to force cookies to (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-expire")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"expire timeframe for cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"168h0m0s")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-httponly")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set HttpOnly cookie flag"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the name of the cookie that the oauth_proxy creates. Should be changed to use a ",(0,l.kt)("a",{parentName:"td",href:"https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes"},"cookie prefix")," (",(0,l.kt)("inlineCode",{parentName:"td"},"__Host-")," or ",(0,l.kt)("inlineCode",{parentName:"td"},"__Secure-"),") if ",(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secure")," is set."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"an optional cookie path to force cookies to (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"/poc/"),")"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-refresh")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"refresh the cookie after this duration; ",(0,l.kt)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",(0,l.kt)("a",{parentName:"td",href:"#footnote1"},"1"),"]"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secret")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the seed string for secure cookies (optionally base64 encoded)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secure")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set ",(0,l.kt)("a",{parentName:"td",href:"https://owasp.org/www-community/controls/SecureFlag"},"secure (HTTPS only) cookie flag")),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-samesite")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"set SameSite cookie attribute (",(0,l.kt)("inlineCode",{parentName:"td"},'"lax"'),", ",(0,l.kt)("inlineCode",{parentName:"td"},'"strict"'),", ",(0,l.kt)("inlineCode",{parentName:"td"},'"none"'),", or ",(0,l.kt)("inlineCode",{parentName:"td"},'""'),")."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-csrf-per-request")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Enable having different CSRF cookies per request, making it possible to have parallel requests."),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-csrf-expire")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"expire timeframe for CSRF cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"15m")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--custom-templates-dir")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to custom html templates"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--custom-sign-in-logo")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},'path or a URL to an custom image for the sign_in page logo. Use \\"-\\" to disable default logo.'),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"display username / password login form if an htpasswd file is provided"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--email-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"authenticate emails with the specified domain (may be given multiple times). Use ",(0,l.kt)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--errors-to-info-log")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"redirects error-level logging to default log channel instead of stderr"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"if ",(0,l.kt)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",(0,l.kt)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",(0,l.kt)("inlineCode",{parentName:"td"},"iss"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",(0,l.kt)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",(0,l.kt)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--exclude-logging-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"comma separated list of paths to exclude from logging, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"/ping,/path2"')),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--flush-interval")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"period between flushing response buffers when streaming responses"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"1s"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--force-https")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"enforce https redirect"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"false"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--force-json-errors")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"force JSON errors instead of HTTP error pages or redirects"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"false"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--banner")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"custom (html) banner string. Use ",(0,l.kt)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--footer")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"custom (html) footer string. Use ",(0,l.kt)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-org")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this organisation"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-team")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these teams (slug), separated by a comma"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-repo")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to collaborators of this repository formatted as ",(0,l.kt)("inlineCode",{parentName:"td"},"orgname/repo")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-token")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the token to use when verifying repository collaborators (must have push access to the repository)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-user")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--gitlab-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these groups (slug), separated by a comma"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--gitlab-projects")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these projects (may be given multiple times) formatted as ",(0,l.kt)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",(0,l.kt)("a",{parentName:"td",href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"},"Gitlab access levels"),", defaulted to 20 if absent"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-admin-email")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the google admin to impersonate for api calls"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this google group (may be given multiple times)."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-service-account-json")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the path to the service account json credentials"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--htpasswd-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"additionally authenticate against a htpasswd file. Entries must be created with ",(0,l.kt)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--htpasswd-user-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"the groups to be set on sessions for htpasswd users"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--http-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"[http://]:")," or ",(0,l.kt)("inlineCode",{parentName:"td"},"unix://")," to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"http://[::1]:4180")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--https-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"[https://]:")," to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"https://[::1]:443")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'":443"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-compress")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Should rotated log files be compressed using gzip"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-filename")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"File to log requests to, empty for ",(0,l.kt)("inlineCode",{parentName:"td"},"stdout")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (stdout)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-local-time")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Use local time in log files and backup filenames instead of UTC"),(0,l.kt)("td",{parentName:"tr",align:null},"true (local time)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-age")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum number of days to retain old log files"),(0,l.kt)("td",{parentName:"tr",align:null},"7")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-backups")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum number of old log files to retain; 0 to disable"),(0,l.kt)("td",{parentName:"tr",align:null},"0")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-size")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum size in megabytes of the log file before rotation"),(0,l.kt)("td",{parentName:"tr",align:null},"100")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"private key in PEM format used to sign JWT, so that you can say something like ",(0,l.kt)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to the private key file in PEM format used to sign the JWT so that you can say something like ",(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--login-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Authentication endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"don't fail if an email address in an id_token is not verified"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-nonce")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip verifying the OIDC ID Token's nonce claim"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OpenID Connect issuer URL, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-email-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the user's email"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"email"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the user groups"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"groups"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-audience-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the audience"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"aud"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-extra-audience")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"additional audiences which are allowed to pass verification"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"[]"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-access-token")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",(0,l.kt)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-authorization-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass OIDC IDToken to upstream via Authorization Bearer header"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-basic-auth")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-user-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-host-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass the request Host Header to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-user-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--profile-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Profile access endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--prompt")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"},"OIDC prompt"),"; if present, ",(0,l.kt)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth provider"),(0,l.kt)("td",{parentName:"tr",align:null},"google")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider-ca-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider-display-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Override the provider's name with the given string; used for the sign-in page"),(0,l.kt)("td",{parentName:"tr",align:null},"(depends on provider)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ping-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the ping endpoint that can be used for basic health checks"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/ping"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ping-user-agent")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"a User-Agent that can be used for basic health checks"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--metrics-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the address prometheus metrics will be scraped from"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--proxy-prefix")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the url root path that this proxy should be nested under (e.g. /",(0,l.kt)("inlineCode",{parentName:"td"},"/sign_in"),")"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/oauth2"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--proxy-websockets")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"enables WebSocket proxying"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pubjwk-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"JWK pubkey access endpoint: required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--real-client-ip-header")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Header used to determine the real IP of the client, requires ",(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),(0,l.kt)("td",{parentName:"tr",align:null},"X-Real-IP")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redeem-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Token redemption endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redirect-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Redirect URL, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"List of Redis cluster connection URLs (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-cluster")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"URL of redis server for redis session storage (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis password. Applicable for all Redis configurations. Will override any password set in ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-url")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-password")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis sentinel master name. Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"List of Redis sentinel connection URLs (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-cluster")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Connect to redis cluster. Must set ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Connect to redis via sentinels. Must set ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis connection idle timeout seconds. If Redis ",(0,l.kt)("a",{parentName:"td",href:"https://redis.io/docs/reference/clients/#client-timeouts"},"timeout")," option is set to non-zero, the ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")," must be less than Redis timeout option. Exmpale: if either redis.conf includes ",(0,l.kt)("inlineCode",{parentName:"td"},"timeout 15")," or using ",(0,l.kt)("inlineCode",{parentName:"td"},"CONFIG SET timeout 15")," the ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")," must be at least ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout=14")),(0,l.kt)("td",{parentName:"tr",align:null},"0")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Request header to use as the request ID in logging"),(0,l.kt)("td",{parentName:"tr",align:null},"X-Request-Id")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log requests"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for request log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--resource")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"The resource that is protected (Azure AD only)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--scope")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth scope specification"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--session-store-type")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"/oauth2-proxy/docs/next/configuration/session_storage"},"Session data storage backend"),"; redis or cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"cookie")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-xauthrequest")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-authorization-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set Authorization Bearer response header (useful in Nginx auth_request mode)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-basic-auth")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--show-debug-on-error")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--signature-key")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"GAP-Signature request signature key (algorithm:secretkey)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--silence-ping-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"disable logging of requests to ping endpoint"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip authentication for OPTIONS requests"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-regex")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"(DEPRECATED for ",(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-route")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"strips ",(0,l.kt)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",(0,l.kt)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip requests that have verified JWT bearer tokens (the token must have ",(0,l.kt)("a",{parentName:"td",href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"},(0,l.kt)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",(0,l.kt)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"bypass OIDC endpoint discovery. ",(0,l.kt)("inlineCode",{parentName:"td"},"--login-url"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"--redeem-url")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-provider-button")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip sign-in-page to directly reach the next step: oauth/start"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip validation of certificates presented when using HTTPS providers"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip validation of certificates presented when using HTTPS upstreams"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--standard-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log standard runtime information"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--standard-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for standard log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-cert-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to certificate file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-cipher-suite")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the ",(0,l.kt)("a",{parentName:"td",href:"https://pkg.go.dev/crypto/tls#pkg-constants"},"crypto/tls documentation"),"."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-key-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to private key file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-min-version")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"minimum TLS version that is acceptable, either ",(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.2"')," or ",(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.3"')),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.2"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--upstream")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"the http url(s) of the upstream endpoint, file:// paths for static files or ",(0,l.kt)("inlineCode",{parentName:"td"},"static://")," for static response. Routing is based on the path"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--upstream-timeout")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"maximum amount of time the server will wait for a response from the upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"30s")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--allowed-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this group (may be given multiple times)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--allowed-role")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--validate-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Access token validation endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--version")),(0,l.kt)("td",{parentName:"tr",align:null},"n/a"),(0,l.kt)("td",{parentName:"tr",align:null},"print version string"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--whitelist-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"allowed domains for redirection after authentication. Prefix domain with a ",(0,l.kt)("inlineCode",{parentName:"td"},".")," or a ",(0,l.kt)("inlineCode",{parentName:"td"},"*.")," to allow subdomains (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},".example.com"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"*.example.com"),")","\xa0","[",(0,l.kt)("a",{parentName:"td",href:"#footnote2"},"2"),"]"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--trusted-ip")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",(0,l.kt)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),(0,l.kt)("td",{parentName:"tr",align:null})))),(0,l.kt)("p",null,"[",(0,l.kt)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",(0,l.kt)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),(0,l.kt)("p",null,"[",(0,l.kt)("a",{name:"footnote2"},"2"),"]",": When using the ",(0,l.kt)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",(0,l.kt)("inlineCode",{parentName:"p"},".")," or a ",(0,l.kt)("inlineCode",{parentName:"p"},"*.")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",(0,l.kt)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",(0,l.kt)("inlineCode",{parentName:"p"},"*"),": ",(0,l.kt)("inlineCode",{parentName:"p"},"example.com:*"),"."),(0,l.kt)("p",null,"See below for provider specific options"),(0,l.kt)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),(0,l.kt)("p",null,(0,l.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",(0,l.kt)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",(0,l.kt)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",(0,l.kt)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),(0,l.kt)("p",null,"Static file paths are configured as a file:// URL. ",(0,l.kt)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",(0,l.kt)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",(0,l.kt)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",(0,l.kt)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",(0,l.kt)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),(0,l.kt)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",(0,l.kt)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",(0,l.kt)("a",{parentName:"p",href:"#config-file"},"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),(0,l.kt)("h3",{id:"environment-variables"},"Environment variables"),(0,l.kt)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",(0,l.kt)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",(0,l.kt)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",(0,l.kt)("inlineCode",{parentName:"p"},"S"),")."),(0,l.kt)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),(0,l.kt)("p",null,"For example, the ",(0,l.kt)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",(0,l.kt)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),(0,l.kt)("h2",{id:"logging-configuration"},"Logging Configuration"),(0,l.kt)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-filename")," command."),(0,l.kt)("p",null,"If logging to a file you can also configure the maximum file size (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-compress"),")."),(0,l.kt)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",(0,l.kt)("inlineCode",{parentName:"p"},"--standard-logging"),", ",(0,l.kt)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",(0,l.kt)("inlineCode",{parentName:"p"},"--request-logging"),"."),(0,l.kt)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),(0,l.kt)("p",null,"Logging of requests to the ",(0,l.kt)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",(0,l.kt)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",(0,l.kt)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",(0,l.kt)("inlineCode",{parentName:"p"},"--ping-path")," to ",(0,l.kt)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),(0,l.kt)("h3",{id:"auth-log-format"},"Auth Log Format"),(0,l.kt)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"}," - - [19/Mar/2015:17:20:19 -0400] [] \n")),(0,l.kt)("p",null,"The status block will contain one of the below strings:"),(0,l.kt)("ul",null,(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),(0,l.kt)("p",null,"Available variables for auth logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Client"),(0,l.kt)("td",{parentName:"tr",align:null},"74.125.224.72"),(0,l.kt)("td",{parentName:"tr",align:null},"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Host"),(0,l.kt)("td",{parentName:"tr",align:null},"domain.com"),(0,l.kt)("td",{parentName:"tr",align:null},"The value of the Host header.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Message"),(0,l.kt)("td",{parentName:"tr",align:null},"Authenticated via OAuth2"),(0,l.kt)("td",{parentName:"tr",align:null},"The details of the auth attempt.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Protocol"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP/1.0"),(0,l.kt)("td",{parentName:"tr",align:null},"The request protocol.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestID"),(0,l.kt)("td",{parentName:"tr",align:null},"00010203-0405-4607-8809-0a0b0c0d0e0f"),(0,l.kt)("td",{parentName:"tr",align:null},"The request ID pulled from the ",(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestMethod"),(0,l.kt)("td",{parentName:"tr",align:null},"GET"),(0,l.kt)("td",{parentName:"tr",align:null},"The request method.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"UserAgent"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The full user agent as reported by the requesting client.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Username"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"mailto:username@email.com"},"username@email.com")),(0,l.kt)("td",{parentName:"tr",align:null},"The email or username of the auth request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Status"),(0,l.kt)("td",{parentName:"tr",align:null},"AuthSuccess"),(0,l.kt)("td",{parentName:"tr",align:null},"The status of the auth request. See above for details.")))),(0,l.kt)("h3",{id:"request-log-format"},"Request Log Format"),(0,l.kt)("p",null,"HTTP request logs will output by default in the below format:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},' - - [19/Mar/2015:17:20:19 -0400] GET "/path/" HTTP/1.1 "" \n')),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),(0,l.kt)("p",null,"Available variables for request logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Client"),(0,l.kt)("td",{parentName:"tr",align:null},"74.125.224.72"),(0,l.kt)("td",{parentName:"tr",align:null},"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Host"),(0,l.kt)("td",{parentName:"tr",align:null},"domain.com"),(0,l.kt)("td",{parentName:"tr",align:null},"The value of the Host header.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Protocol"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP/1.0"),(0,l.kt)("td",{parentName:"tr",align:null},"The request protocol.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestDuration"),(0,l.kt)("td",{parentName:"tr",align:null},"0.001"),(0,l.kt)("td",{parentName:"tr",align:null},"The time in seconds that a request took to process.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestID"),(0,l.kt)("td",{parentName:"tr",align:null},"00010203-0405-4607-8809-0a0b0c0d0e0f"),(0,l.kt)("td",{parentName:"tr",align:null},"The request ID pulled from the ",(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestMethod"),(0,l.kt)("td",{parentName:"tr",align:null},"GET"),(0,l.kt)("td",{parentName:"tr",align:null},"The request method.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestURI"),(0,l.kt)("td",{parentName:"tr",align:null},'"/oauth2/auth"'),(0,l.kt)("td",{parentName:"tr",align:null},"The URI path of the request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"ResponseSize"),(0,l.kt)("td",{parentName:"tr",align:null},"12"),(0,l.kt)("td",{parentName:"tr",align:null},"The size in bytes of the response.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"StatusCode"),(0,l.kt)("td",{parentName:"tr",align:null},"200"),(0,l.kt)("td",{parentName:"tr",align:null},"The HTTP status code of the response.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The upstream data of the HTTP request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"UserAgent"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The full user agent as reported by the requesting client.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Username"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"mailto:username@email.com"},"username@email.com")),(0,l.kt)("td",{parentName:"tr",align:null},"The email or username of the auth request.")))),(0,l.kt)("h3",{id:"standard-log-format"},"Standard Log Format"),(0,l.kt)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"[19/Mar/2015:17:20:19 -0400] [main.go:40] \n")),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),(0,l.kt)("p",null,"Available variables for standard logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"File"),(0,l.kt)("td",{parentName:"tr",align:null},"main.go:40"),(0,l.kt)("td",{parentName:"tr",align:null},"The file and line number of the logging statement.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Message"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP: listening on 127.0.0.1:4180"),(0,l.kt)("td",{parentName:"tr",align:null},"The details of the log statement.")))),(0,l.kt)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",(0,l.kt)("inlineCode",{parentName:"h2"},"auth_request")," directive"),(0,l.kt)("p",null,"The ",(0,l.kt)("a",{parentName:"p",href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"},"Nginx ",(0,l.kt)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",(0,l.kt)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-nginx"},'server {\n listen 443 ssl;\n server_name ...;\n include ssl/ssl.conf;\n\n location /oauth2/ {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n proxy_set_header X-Auth-Request-Redirect $request_uri;\n # or, if you are handling multiple domains:\n # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n }\n location = /oauth2/auth {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n # nginx auth_request includes headers but not body\n proxy_set_header Content-Length "";\n proxy_pass_request_body off;\n }\n\n location / {\n auth_request /oauth2/auth;\n error_page 401 = /oauth2/sign_in;\n\n # pass information via X-User and X-Email headers to backend,\n # requires running with --set-xauthrequest flag\n auth_request_set $user $upstream_http_x_auth_request_user;\n auth_request_set $email $upstream_http_x_auth_request_email;\n proxy_set_header X-User $user;\n proxy_set_header X-Email $email;\n\n # if you enabled --pass-access-token, this will pass the token to the backend\n auth_request_set $token $upstream_http_x_auth_request_access_token;\n proxy_set_header X-Access-Token $token;\n\n # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n auth_request_set $auth_cookie $upstream_http_set_cookie;\n add_header Set-Cookie $auth_cookie;\n\n # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n # limit and so the OAuth2 Proxy splits these into multiple parts.\n # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n # Extract the Cookie attributes from the first Set-Cookie header and append them\n # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n if ($auth_cookie ~* "(; .*)") {\n set $auth_cookie_name_0 $auth_cookie;\n set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n }\n\n # Send both Set-Cookie headers now if there was a second part\n if ($auth_cookie_name_upstream_1) {\n add_header Set-Cookie $auth_cookie_name_0;\n add_header Set-Cookie $auth_cookie_name_1;\n }\n\n proxy_pass http://backend/;\n # or "root /path/to/site;" or "fastcgi_pass ..." etc\n }\n}\n')),(0,l.kt)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",(0,l.kt)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",(0,l.kt)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",(0,l.kt)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",(0,l.kt)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",(0,l.kt)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",(0,l.kt)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n access_by_lua_block {\n if ngx.var.name_upstream_1 ~= "" then\n ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n end\n }\n')),(0,l.kt)("p",null,"It is recommended to use ",(0,l.kt)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",(0,l.kt)("em",{parentName:"p"},"e.g.")," with MS Azure)."),(0,l.kt)("p",null,"You have to substitute ",(0,l.kt)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),(0,l.kt)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",(0,l.kt)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),(0,l.kt)("p",null,(0,l.kt)("strong",{parentName:"p"},"This option requires ",(0,l.kt)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),(0,l.kt)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),(0,l.kt)("p",null,"The ",(0,l.kt)("a",{parentName:"p",href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"},"Traefik v2 ",(0,l.kt)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",(0,l.kt)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'http:\n routers:\n a-service:\n rule: "Host(`a-service.example.com`)"\n service: a-service-backend\n middlewares:\n - oauth-errors\n - oauth-auth\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth:\n rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n oauth-errors:\n errors:\n status:\n - "401-403"\n service: oauth-backend\n query: "/oauth2/sign_in"\n')),(0,l.kt)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),(0,l.kt)("p",null,"Redirect to sign_in functionality provided without the use of ",(0,l.kt)("inlineCode",{parentName:"p"},"errors")," middleware with ",(0,l.kt)("a",{parentName:"p",href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"},"Traefik v2 ",(0,l.kt)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",(0,l.kt)("inlineCode",{parentName:"p"},"/")," endpoint"),(0,l.kt)("p",null,(0,l.kt)("strong",{parentName:"p"},"Following options need to be set on ",(0,l.kt)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),(0,l.kt)("ul",null,(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"--reverse-proxy=true"),": Enables the use of ",(0,l.kt)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'http:\n routers:\n a-service-route-1:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n a-service-route-2:\n rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-wo-redirect # unauthenticated session will return a 401\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n services-oauth2-route:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth2-proxy-route:\n rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n b-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.3:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth-redirect:\n forwardAuth:\n address: https://oauth.example.com/\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n oauth-auth-wo-redirect:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n')),(0,l.kt)("div",{className:"admonition admonition-note alert alert--secondary"},(0,l.kt)("div",{parentName:"div",className:"admonition-heading"},(0,l.kt)("h5",{parentName:"div"},(0,l.kt)("span",{parentName:"h5",className:"admonition-icon"},(0,l.kt)("svg",{parentName:"span",xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"},(0,l.kt)("path",{parentName:"svg",fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"}))),"note")),(0,l.kt)("div",{parentName:"div",className:"admonition-content"},(0,l.kt)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",(0,l.kt)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}g.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/0f425520.77916554.js b/assets/js/0f425520.77916554.js deleted file mode 100644 index a4084bd7..00000000 --- a/assets/js/0f425520.77916554.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[7240],{3905:function(t,e,n){n.d(e,{Zo:function(){return s},kt:function(){return k}});var a=n(7294);function r(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function l(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(t);e&&(a=a.filter((function(e){return Object.getOwnPropertyDescriptor(t,e).enumerable}))),n.push.apply(n,a)}return n}function i(t){for(var e=1;e=0||(r[n]=t[n]);return r}(t,e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(t);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(t,n)&&(r[n]=t[n])}return r}var d=a.createContext({}),p=function(t){var e=a.useContext(d),n=e;return t&&(n="function"==typeof t?t(e):i(i({},e),t)),n},s=function(t){var e=p(t.components);return a.createElement(d.Provider,{value:e},t.children)},m={inlineCode:"code",wrapper:function(t){var e=t.children;return a.createElement(a.Fragment,{},e)}},u=a.forwardRef((function(t,e){var n=t.components,r=t.mdxType,l=t.originalType,d=t.parentName,s=o(t,["components","mdxType","originalType","parentName"]),u=p(n),k=r,g=u["".concat(d,".").concat(k)]||u[k]||m[k]||l;return n?a.createElement(g,i(i({ref:e},s),{},{components:n})):a.createElement(g,i({ref:e},s))}));function k(t,e){var n=arguments,r=e&&e.mdxType;if("string"==typeof t||r){var l=n.length,i=new Array(l);i[0]=u;var o={};for(var d in e)hasOwnProperty.call(e,d)&&(o[d]=e[d]);o.originalType=t,o.mdxType="string"==typeof t?t:r,i[1]=o;for(var p=2;p child <"+("string"==typeof t.type?t.type:t.type.name)+'>: all children of the component should be , and every should have a unique "value" prop.')})),h=null!=u?u:N.map((function(t){var e=t.props;return{value:e.value,label:e.label,attributes:e.attributes}})),c=(0,i.lx)(h,(function(t,e){return t.value===e.value}));if(c.length>0)throw new Error('Docusaurus error: Duplicate values "'+c.map((function(t){return t.value})).join(", ")+'" found in . Every value needs to be unique.');var f=null===m?m:null!=(e=null!=m?m:null==(n=N.find((function(t){return t.props.default})))?void 0:n.props.value)?e:null==(l=N[0])?void 0:l.props.value;if(null!==f&&!h.some((function(t){return t.value===f})))throw new Error('Docusaurus error: The has a defaultValue "'+f+'" but none of its children has the corresponding value. Available values are: '+h.map((function(t){return t.value})).join(", ")+". If you intend to show no default tab, use defaultValue={null} instead.");var b=(0,i.UB)(),y=b.tabGroupChoices,v=b.setTabGroupChoices,C=(0,r.useState)(f),w=C[0],_=C[1],x=[],T=(0,i.o5)().blockElementScrollPositionUntilNextRender;if(null!=k){var q=y[k];null!=q&&q!==w&&h.some((function(t){return t.value===q}))&&_(q)}var S=function(t){var e=t.currentTarget,n=x.indexOf(e),a=h[n].value;a!==w&&(T(e),_(a),null!=k&&v(k,a))},R=function(t){var e,n=null;switch(t.key){case"ArrowRight":var a=x.indexOf(t.currentTarget)+1;n=x[a]||x[0];break;case"ArrowLeft":var r=x.indexOf(t.currentTarget)-1;n=x[r]||x[x.length-1]}null==(e=n)||e.focus()};return r.createElement("div",{className:"tabs-container"},r.createElement("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,o.Z)("tabs",{"tabs--block":s},g)},h.map((function(t){var e=t.value,n=t.label,l=t.attributes;return r.createElement("li",(0,a.Z)({role:"tab",tabIndex:w===e?0:-1,"aria-selected":w===e,key:e,ref:function(t){return x.push(t)},onKeyDown:R,onFocus:S,onClick:S},l,{className:(0,o.Z)("tabs__item",d,null==l?void 0:l.className,{"tabs__item--active":w===e})}),null!=n?n:e)}))),p?(0,r.cloneElement)(N.filter((function(t){return t.props.value===w}))[0],{className:"margin-vert--md"}):r.createElement("div",{className:"margin-vert--md"},N.map((function(t,e){return(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==w})}))))}function s(t){var e=(0,l.Z)();return r.createElement(p,(0,a.Z)({key:String(e)},t))}},4826:function(t,e,n){n.r(e),n.d(e,{frontMatter:function(){return p},contentTitle:function(){return s},metadata:function(){return m},toc:function(){return u},default:function(){return g}});var a=n(7462),r=n(3366),l=(n(7294),n(3905)),i=n(9877),o=n(8215),d=["components"],p={id:"overview",title:"Overview"},s=void 0,m={unversionedId:"configuration/overview",id:"configuration/overview",title:"Overview",description:"oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).",source:"@site/docs/configuration/overview.md",sourceDirName:"configuration",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",tags:[],version:"current",frontMatter:{id:"overview",title:"Overview"},sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},u=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[],level:3},{value:"Config File",id:"config-file",children:[],level:3},{value:"Command Line Options",id:"command-line-options",children:[],level:3},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[],level:3},{value:"Environment variables",id:"environment-variables",children:[],level:3},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[],level:3},{value:"Request Log Format",id:"request-log-format",children:[],level:3},{value:"Standard Log Format",id:"standard-log-format",children:[],level:3}],level:2},{value:"Configuring for use with the Nginx auth_request directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[],level:2},{value:"Configuring for use with the Traefik (v2) ForwardAuth middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[],level:3},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[],level:3}],level:2}],k={toc:u};function g(t){var e=t.components,n=(0,r.Z)(t,d);return(0,l.kt)("wrapper",(0,a.Z)({},k,n,{components:e,mdxType:"MDXLayout"}),(0,l.kt)("p",null,(0,l.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",(0,l.kt)("a",{parentName:"p",href:"#command-line-options"},"command line options"),", ",(0,l.kt)("a",{parentName:"p",href:"#environment-variables"},"environment variables")," or ",(0,l.kt)("a",{parentName:"p",href:"#config-file"},"config file")," (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."),(0,l.kt)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),(0,l.kt)("p",null,"To generate a strong cookie secret use one of the below commands:"),(0,l.kt)(i.Z,{defaultValue:"python",values:[{label:"Python",value:"python"},{label:"Bash",value:"bash"},{label:"OpenSSL",value:"openssl"},{label:"PowerShell",value:"powershell"},{label:"Terraform",value:"terraform"}],mdxType:"Tabs"},(0,l.kt)(o.Z,{value:"python",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'\n"))),(0,l.kt)(o.Z,{value:"bash",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\\n' | tr -- '+/' '-_'; echo\n"))),(0,l.kt)(o.Z,{value:"openssl",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},"openssl rand -base64 32 | tr -- '+/' '-_'\n"))),(0,l.kt)(o.Z,{value:"powershell",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},'# Add System.Web assembly to session, just in case\nAdd-Type -AssemblyName System.Web\n[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")\n'))),(0,l.kt)(o.Z,{value:"terraform",mdxType:"TabItem"},(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-shell"},'# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret\nresource "random_password" "cookie_secret" {\n length = 32\n override_special = "-_"\n}\n')))),(0,l.kt)("h3",{id:"config-file"},"Config File"),(0,l.kt)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),(0,l.kt)("p",null,"An example ",(0,l.kt)("a",{parentName:"p",href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"},"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",(0,l.kt)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),(0,l.kt)("h3",{id:"command-line-options"},"Command Line Options"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Option"),(0,l.kt)("th",{parentName:"tr",align:null},"Type"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"),(0,l.kt)("th",{parentName:"tr",align:null},"Default"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--acr-values")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"optional, see ",(0,l.kt)("a",{parentName:"td",href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"},"docs")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--approval-prompt")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth approval_prompt"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"force"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--auth-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log authentication attempts"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--auth-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for authentication log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"authenticate against emails via file (one per line)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--azure-tenant")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"go to a tenant-specific or common (tenant-independent) endpoint."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"common"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--basic-auth-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the password to set when passing the HTTP Basic Auth header"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-id")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Client ID, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-secret")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Client Secret"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--client-secret-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the file with OAuth Client Secret"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--code-challenge-method")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--config")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to config file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Optional cookie domains to force cookies to (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-expire")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"expire timeframe for cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"168h0m0s")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-httponly")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set HttpOnly cookie flag"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the name of the cookie that the oauth_proxy creates. Should be changed to use a ",(0,l.kt)("a",{parentName:"td",href:"https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes"},"cookie prefix")," (",(0,l.kt)("inlineCode",{parentName:"td"},"__Host-")," or ",(0,l.kt)("inlineCode",{parentName:"td"},"__Secure-"),") if ",(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secure")," is set."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"an optional cookie path to force cookies to (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"/poc/"),")"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-refresh")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"refresh the cookie after this duration; ",(0,l.kt)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",(0,l.kt)("a",{parentName:"td",href:"#footnote1"},"1"),"]"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secret")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the seed string for secure cookies (optionally base64 encoded)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-secure")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set ",(0,l.kt)("a",{parentName:"td",href:"https://owasp.org/www-community/controls/SecureFlag"},"secure (HTTPS only) cookie flag")),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-samesite")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"set SameSite cookie attribute (",(0,l.kt)("inlineCode",{parentName:"td"},'"lax"'),", ",(0,l.kt)("inlineCode",{parentName:"td"},'"strict"'),", ",(0,l.kt)("inlineCode",{parentName:"td"},'"none"'),", or ",(0,l.kt)("inlineCode",{parentName:"td"},'""'),")."),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-csrf-per-request")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Enable having different CSRF cookies per request, making it possible to have parallel requests."),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--cookie-csrf-expire")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"expire timeframe for CSRF cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"15m")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--custom-templates-dir")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to custom html templates"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--custom-sign-in-logo")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},'path or a URL to an custom image for the sign_in page logo. Use \\"-\\" to disable default logo.'),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"display username / password login form if an htpasswd file is provided"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--email-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"authenticate emails with the specified domain (may be given multiple times). Use ",(0,l.kt)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--errors-to-info-log")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"redirects error-level logging to default log channel instead of stderr"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"if ",(0,l.kt)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",(0,l.kt)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",(0,l.kt)("inlineCode",{parentName:"td"},"iss"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",(0,l.kt)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",(0,l.kt)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--exclude-logging-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"comma separated list of paths to exclude from logging, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"/ping,/path2"')),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--flush-interval")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"period between flushing response buffers when streaming responses"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"1s"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--force-https")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"enforce https redirect"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"false"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--force-json-errors")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"force JSON errors instead of HTTP error pages or redirects"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"false"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--banner")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"custom (html) banner string. Use ",(0,l.kt)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--footer")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"custom (html) footer string. Use ",(0,l.kt)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-org")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this organisation"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-team")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these teams (slug), separated by a comma"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-repo")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to collaborators of this repository formatted as ",(0,l.kt)("inlineCode",{parentName:"td"},"orgname/repo")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-token")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the token to use when verifying repository collaborators (must have push access to the repository)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--github-user")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--gitlab-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these groups (slug), separated by a comma"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--gitlab-projects")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of any of these projects (may be given multiple times) formatted as ",(0,l.kt)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",(0,l.kt)("a",{parentName:"td",href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"},"Gitlab access levels"),", defaulted to 20 if absent"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-admin-email")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the google admin to impersonate for api calls"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this google group (may be given multiple times)."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--google-service-account-json")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the path to the service account json credentials"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--htpasswd-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"additionally authenticate against a htpasswd file. Entries must be created with ",(0,l.kt)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--htpasswd-user-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"the groups to be set on sessions for htpasswd users"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--http-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"[http://]:")," or ",(0,l.kt)("inlineCode",{parentName:"td"},"unix://")," to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"http://[::1]:4180")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--https-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"[https://]:")," to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"https://[::1]:443")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'":443"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-compress")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Should rotated log files be compressed using gzip"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-filename")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"File to log requests to, empty for ",(0,l.kt)("inlineCode",{parentName:"td"},"stdout")),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (stdout)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-local-time")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Use local time in log files and backup filenames instead of UTC"),(0,l.kt)("td",{parentName:"tr",align:null},"true (local time)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-age")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum number of days to retain old log files"),(0,l.kt)("td",{parentName:"tr",align:null},"7")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-backups")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum number of old log files to retain; 0 to disable"),(0,l.kt)("td",{parentName:"tr",align:null},"0")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--logging-max-size")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Maximum size in megabytes of the log file before rotation"),(0,l.kt)("td",{parentName:"tr",align:null},"100")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"private key in PEM format used to sign JWT, so that you can say something like ",(0,l.kt)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to the private key file in PEM format used to sign the JWT so that you can say something like ",(0,l.kt)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--login-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Authentication endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"don't fail if an email address in an id_token is not verified"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-nonce")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip verifying the OIDC ID Token's nonce claim"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OpenID Connect issuer URL, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-email-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the user's email"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"email"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the user groups"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"groups"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-audience-claim")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"which OIDC claim contains the audience"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"aud"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-extra-audience")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"additional audiences which are allowed to pass verification"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"[]"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-access-token")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",(0,l.kt)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-authorization-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass OIDC IDToken to upstream via Authorization Bearer header"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-basic-auth")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-user-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-host-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass the request Host Header to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pass-user-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--profile-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Profile access endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--prompt")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"},"OIDC prompt"),"; if present, ",(0,l.kt)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth provider"),(0,l.kt)("td",{parentName:"tr",align:null},"google")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider-ca-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--provider-display-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Override the provider's name with the given string; used for the sign-in page"),(0,l.kt)("td",{parentName:"tr",align:null},"(depends on provider)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ping-path")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the ping endpoint that can be used for basic health checks"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/ping"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ping-user-agent")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"a User-Agent that can be used for basic health checks"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--metrics-address")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the address prometheus metrics will be scraped from"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'""'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--proxy-prefix")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the url root path that this proxy should be nested under (e.g. /",(0,l.kt)("inlineCode",{parentName:"td"},"/sign_in"),")"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"/oauth2"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--proxy-websockets")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"enables WebSocket proxying"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--pubjwk-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"JWK pubkey access endpoint: required by login.gov"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--real-client-ip-header")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Header used to determine the real IP of the client, requires ",(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),(0,l.kt)("td",{parentName:"tr",align:null},"X-Real-IP")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redeem-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Token redemption endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redirect-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"the OAuth Redirect URL, e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"List of Redis cluster connection URLs (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-cluster")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"URL of redis server for redis session storage (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis password. Applicable for all Redis configurations. Will override any password set in ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-url")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-password")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis sentinel master name. Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"List of Redis sentinel connection URLs (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-cluster")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Connect to redis cluster. Must set ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Connect to redis via sentinels. Must set ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")),(0,l.kt)("td",{parentName:"tr",align:null},"int"),(0,l.kt)("td",{parentName:"tr",align:null},"Redis connection idle timeout seconds. If Redis ",(0,l.kt)("a",{parentName:"td",href:"https://redis.io/docs/reference/clients/#client-timeouts"},"timeout")," option is set to non-zero, the ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")," must be less than Redis timeout option. Exmpale: if either redis.conf includes ",(0,l.kt)("inlineCode",{parentName:"td"},"timeout 15")," or using ",(0,l.kt)("inlineCode",{parentName:"td"},"CONFIG SET timeout 15")," the ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout")," must be at least ",(0,l.kt)("inlineCode",{parentName:"td"},"--redis-connection-idle-timeout=14")),(0,l.kt)("td",{parentName:"tr",align:null},"0")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Request header to use as the request ID in logging"),(0,l.kt)("td",{parentName:"tr",align:null},"X-Request-Id")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log requests"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--request-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for request log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--resource")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"The resource that is protected (Azure AD only)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--scope")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"OAuth scope specification"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--session-store-type")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"/oauth2-proxy/docs/next/configuration/session_storage"},"Session data storage backend"),"; redis or cookie"),(0,l.kt)("td",{parentName:"tr",align:null},"cookie")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-xauthrequest")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",(0,l.kt)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-authorization-header")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set Authorization Bearer response header (useful in Nginx auth_request mode)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--set-basic-auth")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--show-debug-on-error")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--signature-key")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"GAP-Signature request signature key (algorithm:secretkey)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--silence-ping-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"disable logging of requests to ping endpoint"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip authentication for OPTIONS requests"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-regex")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"(DEPRECATED for ",(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-route")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"bypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"strips ",(0,l.kt)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",(0,l.kt)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip requests that have verified JWT bearer tokens (the token must have ",(0,l.kt)("a",{parentName:"td",href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"},(0,l.kt)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",(0,l.kt)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"bypass OIDC endpoint discovery. ",(0,l.kt)("inlineCode",{parentName:"td"},"--login-url"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"--redeem-url")," and ",(0,l.kt)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--skip-provider-button")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"will skip sign-in-page to directly reach the next step: oauth/start"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip validation of certificates presented when using HTTPS providers"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"skip validation of certificates presented when using HTTPS upstreams"),(0,l.kt)("td",{parentName:"tr",align:null},"false")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--standard-logging")),(0,l.kt)("td",{parentName:"tr",align:null},"bool"),(0,l.kt)("td",{parentName:"tr",align:null},"Log standard runtime information"),(0,l.kt)("td",{parentName:"tr",align:null},"true")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--standard-logging-format")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Template for standard log lines"),(0,l.kt)("td",{parentName:"tr",align:null},"see ",(0,l.kt)("a",{parentName:"td",href:"#logging-configuration"},"Logging Configuration"))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-cert-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to certificate file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-cipher-suite")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"Restricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the ",(0,l.kt)("a",{parentName:"td",href:"https://pkg.go.dev/crypto/tls#pkg-constants"},"crypto/tls documentation"),"."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-key-file")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"path to private key file"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--tls-min-version")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"minimum TLS version that is acceptable, either ",(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.2"')," or ",(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.3"')),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},'"TLS1.2"'))),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--upstream")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"the http url(s) of the upstream endpoint, file:// paths for static files or ",(0,l.kt)("inlineCode",{parentName:"td"},"static://")," for static response. Routing is based on the path"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--upstream-timeout")),(0,l.kt)("td",{parentName:"tr",align:null},"duration"),(0,l.kt)("td",{parentName:"tr",align:null},"maximum amount of time the server will wait for a response from the upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"30s")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--allowed-group")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to members of this group (may be given multiple times)"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--allowed-role")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider."),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--validate-url")),(0,l.kt)("td",{parentName:"tr",align:null},"string"),(0,l.kt)("td",{parentName:"tr",align:null},"Access token validation endpoint"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--version")),(0,l.kt)("td",{parentName:"tr",align:null},"n/a"),(0,l.kt)("td",{parentName:"tr",align:null},"print version string"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--whitelist-domain")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"allowed domains for redirection after authentication. Prefix domain with a ",(0,l.kt)("inlineCode",{parentName:"td"},".")," or a ",(0,l.kt)("inlineCode",{parentName:"td"},"*.")," to allow subdomains (e.g. ",(0,l.kt)("inlineCode",{parentName:"td"},".example.com"),", ",(0,l.kt)("inlineCode",{parentName:"td"},"*.example.com"),")","\xa0","[",(0,l.kt)("a",{parentName:"td",href:"#footnote2"},"2"),"]"),(0,l.kt)("td",{parentName:"tr",align:null})),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("inlineCode",{parentName:"td"},"--trusted-ip")),(0,l.kt)("td",{parentName:"tr",align:null},"string ","|"," list"),(0,l.kt)("td",{parentName:"tr",align:null},"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",(0,l.kt)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",(0,l.kt)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),(0,l.kt)("td",{parentName:"tr",align:null})))),(0,l.kt)("p",null,"[",(0,l.kt)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",(0,l.kt)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),(0,l.kt)("p",null,"[",(0,l.kt)("a",{name:"footnote2"},"2"),"]",": When using the ",(0,l.kt)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",(0,l.kt)("inlineCode",{parentName:"p"},".")," or a ",(0,l.kt)("inlineCode",{parentName:"p"},"*.")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",(0,l.kt)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",(0,l.kt)("inlineCode",{parentName:"p"},"*"),": ",(0,l.kt)("inlineCode",{parentName:"p"},"example.com:*"),"."),(0,l.kt)("p",null,"See below for provider specific options"),(0,l.kt)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),(0,l.kt)("p",null,(0,l.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",(0,l.kt)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",(0,l.kt)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",(0,l.kt)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),(0,l.kt)("p",null,"Static file paths are configured as a file:// URL. ",(0,l.kt)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",(0,l.kt)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",(0,l.kt)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",(0,l.kt)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",(0,l.kt)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),(0,l.kt)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",(0,l.kt)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",(0,l.kt)("a",{parentName:"p",href:"#config-file"},"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),(0,l.kt)("h3",{id:"environment-variables"},"Environment variables"),(0,l.kt)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",(0,l.kt)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",(0,l.kt)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",(0,l.kt)("inlineCode",{parentName:"p"},"S"),")."),(0,l.kt)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),(0,l.kt)("p",null,"For example, the ",(0,l.kt)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",(0,l.kt)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",(0,l.kt)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),(0,l.kt)("h2",{id:"logging-configuration"},"Logging Configuration"),(0,l.kt)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-filename")," command."),(0,l.kt)("p",null,"If logging to a file you can also configure the maximum file size (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",(0,l.kt)("inlineCode",{parentName:"p"},"--logging-compress"),")."),(0,l.kt)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",(0,l.kt)("inlineCode",{parentName:"p"},"--standard-logging"),", ",(0,l.kt)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",(0,l.kt)("inlineCode",{parentName:"p"},"--request-logging"),"."),(0,l.kt)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),(0,l.kt)("p",null,"Logging of requests to the ",(0,l.kt)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",(0,l.kt)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",(0,l.kt)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",(0,l.kt)("inlineCode",{parentName:"p"},"--ping-path")," to ",(0,l.kt)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),(0,l.kt)("h3",{id:"auth-log-format"},"Auth Log Format"),(0,l.kt)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"}," - - [19/Mar/2015:17:20:19 -0400] [] \n")),(0,l.kt)("p",null,"The status block will contain one of the below strings:"),(0,l.kt)("ul",null,(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),(0,l.kt)("p",null,"Available variables for auth logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Client"),(0,l.kt)("td",{parentName:"tr",align:null},"74.125.224.72"),(0,l.kt)("td",{parentName:"tr",align:null},"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Host"),(0,l.kt)("td",{parentName:"tr",align:null},"domain.com"),(0,l.kt)("td",{parentName:"tr",align:null},"The value of the Host header.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Message"),(0,l.kt)("td",{parentName:"tr",align:null},"Authenticated via OAuth2"),(0,l.kt)("td",{parentName:"tr",align:null},"The details of the auth attempt.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Protocol"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP/1.0"),(0,l.kt)("td",{parentName:"tr",align:null},"The request protocol.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestID"),(0,l.kt)("td",{parentName:"tr",align:null},"00010203-0405-4607-8809-0a0b0c0d0e0f"),(0,l.kt)("td",{parentName:"tr",align:null},"The request ID pulled from the ",(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestMethod"),(0,l.kt)("td",{parentName:"tr",align:null},"GET"),(0,l.kt)("td",{parentName:"tr",align:null},"The request method.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"UserAgent"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The full user agent as reported by the requesting client.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Username"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"mailto:username@email.com"},"username@email.com")),(0,l.kt)("td",{parentName:"tr",align:null},"The email or username of the auth request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Status"),(0,l.kt)("td",{parentName:"tr",align:null},"AuthSuccess"),(0,l.kt)("td",{parentName:"tr",align:null},"The status of the auth request. See above for details.")))),(0,l.kt)("h3",{id:"request-log-format"},"Request Log Format"),(0,l.kt)("p",null,"HTTP request logs will output by default in the below format:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},' - - [19/Mar/2015:17:20:19 -0400] GET "/path/" HTTP/1.1 "" \n')),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),(0,l.kt)("p",null,"Available variables for request logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Client"),(0,l.kt)("td",{parentName:"tr",align:null},"74.125.224.72"),(0,l.kt)("td",{parentName:"tr",align:null},"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Host"),(0,l.kt)("td",{parentName:"tr",align:null},"domain.com"),(0,l.kt)("td",{parentName:"tr",align:null},"The value of the Host header.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Protocol"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP/1.0"),(0,l.kt)("td",{parentName:"tr",align:null},"The request protocol.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestDuration"),(0,l.kt)("td",{parentName:"tr",align:null},"0.001"),(0,l.kt)("td",{parentName:"tr",align:null},"The time in seconds that a request took to process.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestID"),(0,l.kt)("td",{parentName:"tr",align:null},"00010203-0405-4607-8809-0a0b0c0d0e0f"),(0,l.kt)("td",{parentName:"tr",align:null},"The request ID pulled from the ",(0,l.kt)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestMethod"),(0,l.kt)("td",{parentName:"tr",align:null},"GET"),(0,l.kt)("td",{parentName:"tr",align:null},"The request method.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"RequestURI"),(0,l.kt)("td",{parentName:"tr",align:null},'"/oauth2/auth"'),(0,l.kt)("td",{parentName:"tr",align:null},"The URI path of the request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"ResponseSize"),(0,l.kt)("td",{parentName:"tr",align:null},"12"),(0,l.kt)("td",{parentName:"tr",align:null},"The size in bytes of the response.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"StatusCode"),(0,l.kt)("td",{parentName:"tr",align:null},"200"),(0,l.kt)("td",{parentName:"tr",align:null},"The HTTP status code of the response.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Upstream"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The upstream data of the HTTP request.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"UserAgent"),(0,l.kt)("td",{parentName:"tr",align:null},"-"),(0,l.kt)("td",{parentName:"tr",align:null},"The full user agent as reported by the requesting client.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Username"),(0,l.kt)("td",{parentName:"tr",align:null},(0,l.kt)("a",{parentName:"td",href:"mailto:username@email.com"},"username@email.com")),(0,l.kt)("td",{parentName:"tr",align:null},"The email or username of the auth request.")))),(0,l.kt)("h3",{id:"standard-log-format"},"Standard Log Format"),(0,l.kt)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"[19/Mar/2015:17:20:19 -0400] [main.go:40] \n")),(0,l.kt)("p",null,"If you require a different format than that, you can configure it with the ",(0,l.kt)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre"},"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),(0,l.kt)("p",null,"Available variables for standard logging:"),(0,l.kt)("table",null,(0,l.kt)("thead",{parentName:"table"},(0,l.kt)("tr",{parentName:"thead"},(0,l.kt)("th",{parentName:"tr",align:null},"Variable"),(0,l.kt)("th",{parentName:"tr",align:null},"Example"),(0,l.kt)("th",{parentName:"tr",align:null},"Description"))),(0,l.kt)("tbody",{parentName:"table"},(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Timestamp"),(0,l.kt)("td",{parentName:"tr",align:null},"19/Mar/2015:17:20:19 -0400"),(0,l.kt)("td",{parentName:"tr",align:null},"The date and time of the logging event.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"File"),(0,l.kt)("td",{parentName:"tr",align:null},"main.go:40"),(0,l.kt)("td",{parentName:"tr",align:null},"The file and line number of the logging statement.")),(0,l.kt)("tr",{parentName:"tbody"},(0,l.kt)("td",{parentName:"tr",align:null},"Message"),(0,l.kt)("td",{parentName:"tr",align:null},"HTTP: listening on 127.0.0.1:4180"),(0,l.kt)("td",{parentName:"tr",align:null},"The details of the log statement.")))),(0,l.kt)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",(0,l.kt)("inlineCode",{parentName:"h2"},"auth_request")," directive"),(0,l.kt)("p",null,"The ",(0,l.kt)("a",{parentName:"p",href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"},"Nginx ",(0,l.kt)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",(0,l.kt)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-nginx"},'server {\n listen 443 ssl;\n server_name ...;\n include ssl/ssl.conf;\n\n location /oauth2/ {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n proxy_set_header X-Auth-Request-Redirect $request_uri;\n # or, if you are handling multiple domains:\n # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n }\n location = /oauth2/auth {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n # nginx auth_request includes headers but not body\n proxy_set_header Content-Length "";\n proxy_pass_request_body off;\n }\n\n location / {\n auth_request /oauth2/auth;\n error_page 401 = /oauth2/sign_in;\n\n # pass information via X-User and X-Email headers to backend,\n # requires running with --set-xauthrequest flag\n auth_request_set $user $upstream_http_x_auth_request_user;\n auth_request_set $email $upstream_http_x_auth_request_email;\n proxy_set_header X-User $user;\n proxy_set_header X-Email $email;\n\n # if you enabled --pass-access-token, this will pass the token to the backend\n auth_request_set $token $upstream_http_x_auth_request_access_token;\n proxy_set_header X-Access-Token $token;\n\n # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n auth_request_set $auth_cookie $upstream_http_set_cookie;\n add_header Set-Cookie $auth_cookie;\n\n # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n # limit and so the OAuth2 Proxy splits these into multiple parts.\n # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n # Extract the Cookie attributes from the first Set-Cookie header and append them\n # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n if ($auth_cookie ~* "(; .*)") {\n set $auth_cookie_name_0 $auth_cookie;\n set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n }\n\n # Send both Set-Cookie headers now if there was a second part\n if ($auth_cookie_name_upstream_1) {\n add_header Set-Cookie $auth_cookie_name_0;\n add_header Set-Cookie $auth_cookie_name_1;\n }\n\n proxy_pass http://backend/;\n # or "root /path/to/site;" or "fastcgi_pass ..." etc\n }\n}\n')),(0,l.kt)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",(0,l.kt)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",(0,l.kt)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",(0,l.kt)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",(0,l.kt)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",(0,l.kt)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",(0,l.kt)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n access_by_lua_block {\n if ngx.var.name_upstream_1 ~= "" then\n ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n end\n }\n')),(0,l.kt)("p",null,"It is recommended to use ",(0,l.kt)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",(0,l.kt)("em",{parentName:"p"},"e.g.")," with MS Azure)."),(0,l.kt)("p",null,"You have to substitute ",(0,l.kt)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),(0,l.kt)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",(0,l.kt)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),(0,l.kt)("p",null,(0,l.kt)("strong",{parentName:"p"},"This option requires ",(0,l.kt)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),(0,l.kt)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),(0,l.kt)("p",null,"The ",(0,l.kt)("a",{parentName:"p",href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"},"Traefik v2 ",(0,l.kt)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",(0,l.kt)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'http:\n routers:\n a-service:\n rule: "Host(`a-service.example.com`)"\n service: a-service-backend\n middlewares:\n - oauth-errors\n - oauth-auth\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth:\n rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n oauth-errors:\n errors:\n status:\n - "401-403"\n service: oauth-backend\n query: "/oauth2/sign_in"\n')),(0,l.kt)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),(0,l.kt)("p",null,"Redirect to sign_in functionality provided without the use of ",(0,l.kt)("inlineCode",{parentName:"p"},"errors")," middleware with ",(0,l.kt)("a",{parentName:"p",href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"},"Traefik v2 ",(0,l.kt)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",(0,l.kt)("inlineCode",{parentName:"p"},"/")," endpoint"),(0,l.kt)("p",null,(0,l.kt)("strong",{parentName:"p"},"Following options need to be set on ",(0,l.kt)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),(0,l.kt)("ul",null,(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),(0,l.kt)("li",{parentName:"ul"},(0,l.kt)("inlineCode",{parentName:"li"},"--reverse-proxy=true"),": Enables the use of ",(0,l.kt)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),(0,l.kt)("pre",null,(0,l.kt)("code",{parentName:"pre",className:"language-yaml"},'http:\n routers:\n a-service-route-1:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n a-service-route-2:\n rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-wo-redirect # unauthenticated session will return a 401\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n services-oauth2-route:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth2-proxy-route:\n rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n b-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.3:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth-redirect:\n forwardAuth:\n address: https://oauth.example.com/\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n oauth-auth-wo-redirect:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n')),(0,l.kt)("div",{className:"admonition admonition-note alert alert--secondary"},(0,l.kt)("div",{parentName:"div",className:"admonition-heading"},(0,l.kt)("h5",{parentName:"div"},(0,l.kt)("span",{parentName:"h5",className:"admonition-icon"},(0,l.kt)("svg",{parentName:"span",xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"},(0,l.kt)("path",{parentName:"svg",fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"}))),"note")),(0,l.kt)("div",{parentName:"div",className:"admonition-content"},(0,l.kt)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",(0,l.kt)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}g.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/runtime~main.c2648406.js b/assets/js/runtime~main.d94296bf.js similarity index 99% rename from assets/js/runtime~main.c2648406.js rename to assets/js/runtime~main.d94296bf.js index fdff7c87..6982d0be 100644 --- a/assets/js/runtime~main.c2648406.js +++ b/assets/js/runtime~main.d94296bf.js @@ -1 +1 @@ -!function(){"use strict";var e,c,t,f,a,r={},n={};function b(e){var c=n[e];if(void 0!==c)return c.exports;var t=n[e]={id:e,loaded:!1,exports:{}};return r[e].call(t.exports,t,t.exports,b),t.loaded=!0,t.exports}b.m=r,b.c=n,e=[],b.O=function(c,t,f,a){if(!t){var r=1/0;for(u=0;u=a)&&Object.keys(b.O).every((function(e){return b.O[e](t[d])}))?t.splice(d--,1):(n=!1,a0&&e[u-1][2]>a;u--)e[u]=e[u-1];e[u]=[t,f,a]},b.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return b.d(c,{a:c}),c},t=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},b.t=function(e,f){if(1&f&&(e=this(e)),8&f)return e;if("object"==typeof e&&e){if(4&f&&e.__esModule)return e;if(16&f&&"function"==typeof e.then)return e}var a=Object.create(null);b.r(a);var r={};c=c||[null,t({}),t([]),t(t)];for(var n=2&f&&e;"object"==typeof n&&!~c.indexOf(n);n=t(n))Object.getOwnPropertyNames(n).forEach((function(c){r[c]=function(){return e[c]}}));return r.default=function(){return e},b.d(a,r),a},b.d=function(e,c){for(var t in c)b.o(c,t)&&!b.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:c[t]})},b.f={},b.e=function(e){return Promise.all(Object.keys(b.f).reduce((function(c,t){return b.f[t](e,c),c}),[]))},b.u=function(e){return"assets/js/"+({53:"935f2afb",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2439:"cd4a49c1",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4042:"08659987",4189:"3def9002",4431:"001ca130",4472:"f4c9d322",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5410:"9b9cfcc1",5437:"f98fc388",5845:"243cbd97",5874:"ea7cbf6d",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",268:"0902753e",507:"e6059b29",707:"198d514c",811:"6f3ea057",1351:"02aac3e1",1365:"47e2487f",1487:"f89f4cb4",1558:"350b66c2",1898:"67af2e9d",2098:"93096b74",2114:"d1fafb1d",2158:"75b00d70",2260:"4cf62a79",2439:"8d4f2188",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",3085:"e29f8c90",3217:"6001cf90",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"6efe1128",4042:"ccf8ea0d",4189:"0566d6b8",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4998:"d117d167",5144:"d5f061d0",5322:"1534c076",5410:"37c53500",5437:"3b0c1664",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5995:"90b73e88",6042:"120ce48b",6119:"f8f89998",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"77916554",7250:"41ba64ac",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"fb2dab7b",8500:"017a6535",8555:"4522119e",8583:"b7164f76",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"5f902a23",9512:"d0024de2",9514:"7b2cd06e",9692:"fd996257",9890:"e65a6b95"}[e]+".js"},b.miniCssF=function(e){return"assets/css/styles.19258e03.css"},b.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),b.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},f={},a="docusaurus:",b.l=function(e,c,t,r){if(f[e])f[e].push(c);else{var n,d;if(void 0!==t)for(var o=document.getElementsByTagName("script"),u=0;u=a)&&Object.keys(b.O).every((function(e){return b.O[e](t[d])}))?t.splice(d--,1):(n=!1,a0&&e[u-1][2]>a;u--)e[u]=e[u-1];e[u]=[t,f,a]},b.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return b.d(c,{a:c}),c},t=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},b.t=function(e,f){if(1&f&&(e=this(e)),8&f)return e;if("object"==typeof e&&e){if(4&f&&e.__esModule)return e;if(16&f&&"function"==typeof e.then)return e}var a=Object.create(null);b.r(a);var r={};c=c||[null,t({}),t([]),t(t)];for(var n=2&f&&e;"object"==typeof n&&!~c.indexOf(n);n=t(n))Object.getOwnPropertyNames(n).forEach((function(c){r[c]=function(){return e[c]}}));return r.default=function(){return e},b.d(a,r),a},b.d=function(e,c){for(var t in c)b.o(c,t)&&!b.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:c[t]})},b.f={},b.e=function(e){return Promise.all(Object.keys(b.f).reduce((function(c,t){return b.f[t](e,c),c}),[]))},b.u=function(e){return"assets/js/"+({53:"935f2afb",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2439:"cd4a49c1",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4042:"08659987",4189:"3def9002",4431:"001ca130",4472:"f4c9d322",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5410:"9b9cfcc1",5437:"f98fc388",5845:"243cbd97",5874:"ea7cbf6d",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",268:"0902753e",507:"e6059b29",707:"198d514c",811:"6f3ea057",1351:"02aac3e1",1365:"47e2487f",1487:"f89f4cb4",1558:"350b66c2",1898:"67af2e9d",2098:"93096b74",2114:"d1fafb1d",2158:"75b00d70",2260:"4cf62a79",2439:"8d4f2188",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",3085:"e29f8c90",3217:"6001cf90",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"6efe1128",4042:"ccf8ea0d",4189:"0566d6b8",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4998:"d117d167",5144:"d5f061d0",5322:"1534c076",5410:"37c53500",5437:"3b0c1664",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5995:"90b73e88",6042:"120ce48b",6119:"f8f89998",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"33366640",7250:"41ba64ac",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"fb2dab7b",8500:"017a6535",8555:"4522119e",8583:"b7164f76",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"5f902a23",9512:"d0024de2",9514:"7b2cd06e",9692:"fd996257",9890:"e65a6b95"}[e]+".js"},b.miniCssF=function(e){return"assets/css/styles.19258e03.css"},b.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),b.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},f={},a="docusaurus:",b.l=function(e,c,t,r){if(f[e])f[e].push(c);else{var n,d;if(void 0!==t)for(var o=document.getElementsByTagName("script"),u=0;u Archive | OAuth2 Proxy - +

Archive

Archive

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/behaviour/index.html b/docs/6.1.x/behaviour/index.html index 5301240e..e0145009 100644 --- a/docs/6.1.x/behaviour/index.html +++ b/docs/6.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 6.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html index a3694fd2..c916209e 100644 --- a/docs/6.1.x/community/security/index.html +++ b/docs/6.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html index 30ef3f02..2bbdafb2 100644 --- a/docs/6.1.x/configuration/oauth_provider/index.html +++ b/docs/6.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -46,7 +46,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html index e54add87..9e4b5b0f 100644 --- a/docs/6.1.x/configuration/overview/index.html +++ b/docs/6.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html index 0f4fec2d..52cfdd7a 100644 --- a/docs/6.1.x/configuration/session_storage/index.html +++ b/docs/6.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html index 8d2cabe4..8ca6e9c4 100644 --- a/docs/6.1.x/configuration/tls/index.html +++ b/docs/6.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html index 20d4e3a1..c03610db 100644 --- a/docs/6.1.x/features/endpoints/index.html +++ b/docs/6.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 6.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html index 33283bf0..306b1c09 100644 --- a/docs/6.1.x/features/request_signatures/index.html +++ b/docs/6.1.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html index bac908eb..9bcd6896 100644 --- a/docs/6.1.x/index.html +++ b/docs/6.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 6.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v6.1.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/behaviour/index.html b/docs/7.0.x/behaviour/index.html index 6f7f2786..a44478a3 100644 --- a/docs/7.0.x/behaviour/index.html +++ b/docs/7.0.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.0.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/community/security/index.html b/docs/7.0.x/community/security/index.html index 27429d0f..a4cbf2d0 100644 --- a/docs/7.0.x/community/security/index.html +++ b/docs/7.0.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/alpha-config/index.html b/docs/7.0.x/configuration/alpha-config/index.html index 978bc783..65c95d05 100644 --- a/docs/7.0.x/configuration/alpha-config/index.html +++ b/docs/7.0.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/oauth_provider/index.html b/docs/7.0.x/configuration/oauth_provider/index.html index dbd5aedd..b4161a0e 100644 --- a/docs/7.0.x/configuration/oauth_provider/index.html +++ b/docs/7.0.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/overview/index.html b/docs/7.0.x/configuration/overview/index.html index 526fdffc..b7829b0b 100644 --- a/docs/7.0.x/configuration/overview/index.html +++ b/docs/7.0.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/session_storage/index.html b/docs/7.0.x/configuration/session_storage/index.html index 582723cd..9e198298 100644 --- a/docs/7.0.x/configuration/session_storage/index.html +++ b/docs/7.0.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/tls/index.html b/docs/7.0.x/configuration/tls/index.html index 8dfd0702..e08778d2 100644 --- a/docs/7.0.x/configuration/tls/index.html +++ b/docs/7.0.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/endpoints/index.html b/docs/7.0.x/features/endpoints/index.html index 5a5c0444..04c207d6 100644 --- a/docs/7.0.x/features/endpoints/index.html +++ b/docs/7.0.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.0.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/request_signatures/index.html b/docs/7.0.x/features/request_signatures/index.html index e612f9b7..bb16ad31 100644 --- a/docs/7.0.x/features/request_signatures/index.html +++ b/docs/7.0.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/index.html b/docs/7.0.x/index.html index d61ad1d6..435fd989 100644 --- a/docs/7.0.x/index.html +++ b/docs/7.0.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.0.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.0.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/behaviour/index.html b/docs/7.1.x/behaviour/index.html index 7fc5a239..3bc4b659 100644 --- a/docs/7.1.x/behaviour/index.html +++ b/docs/7.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/community/security/index.html b/docs/7.1.x/community/security/index.html index b031b769..ee57e5e3 100644 --- a/docs/7.1.x/community/security/index.html +++ b/docs/7.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/alpha-config/index.html b/docs/7.1.x/configuration/alpha-config/index.html index b7968cb6..fd666534 100644 --- a/docs/7.1.x/configuration/alpha-config/index.html +++ b/docs/7.1.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/oauth_provider/index.html b/docs/7.1.x/configuration/oauth_provider/index.html index 907833c0..8c1fb4a1 100644 --- a/docs/7.1.x/configuration/oauth_provider/index.html +++ b/docs/7.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/overview/index.html b/docs/7.1.x/configuration/overview/index.html index 0c9fcf5b..cbbe3055 100644 --- a/docs/7.1.x/configuration/overview/index.html +++ b/docs/7.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/session_storage/index.html b/docs/7.1.x/configuration/session_storage/index.html index 1fb87d93..ea193261 100644 --- a/docs/7.1.x/configuration/session_storage/index.html +++ b/docs/7.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/tls/index.html b/docs/7.1.x/configuration/tls/index.html index 281a1676..9cc7f806 100644 --- a/docs/7.1.x/configuration/tls/index.html +++ b/docs/7.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/features/endpoints/index.html b/docs/7.1.x/features/endpoints/index.html index afc85929..0b6149ea 100644 --- a/docs/7.1.x/features/endpoints/index.html +++ b/docs/7.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/index.html b/docs/7.1.x/index.html index 6481cfe7..23bfe90d 100644 --- a/docs/7.1.x/index.html +++ b/docs/7.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.1.3)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/behaviour/index.html b/docs/7.2.x/behaviour/index.html index ac51f808..e8bcf185 100644 --- a/docs/7.2.x/behaviour/index.html +++ b/docs/7.2.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.2.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/community/security/index.html b/docs/7.2.x/community/security/index.html index baef61a0..1bfcfc9c 100644 --- a/docs/7.2.x/community/security/index.html +++ b/docs/7.2.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/alpha-config/index.html b/docs/7.2.x/configuration/alpha-config/index.html index 025aab90..57f7532b 100644 --- a/docs/7.2.x/configuration/alpha-config/index.html +++ b/docs/7.2.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

KeycloakOptions​

(Appears on: Provider)

FieldTypeDescription
groups[]stringGroup enables to restrict login to members of indicated group
roles[]stringRole enables to restrict login to users with role (only available when using the keycloak-oidc provider)

LoginGovOptions​

(Appears on: Provider)

FieldTypeDescription
jwtKeystringJWTKey is a private key in PEM format used to sign JWT,
jwtKeyFilestringJWTKeyFile is a path to the private key file in PEM format used to sign the JWT
pubjwkURLstringPubJWKURL is the JWK pubkey access endpoint

OIDCOptions​

(Appears on: Provider)

FieldTypeDescription
issuerURLstringIssuerURL is the OpenID Connect issuer URL
eg: https://accounts.google.com
insecureAllowUnverifiedEmailboolInsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
default set to 'false'
insecureSkipIssuerVerificationboolInsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
default set to 'false'
insecureSkipNonceboolInsecureSkipNonce skips verifying the ID Token's nonce claim that must match
the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
after the initial OAuth redeem & subsequent token refreshes.
default set to 'true'
Warning: In a future release, this will change to 'false' by default for enhanced security.
skipDiscoveryboolSkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
default set to 'false'
jwksURLstringJwksURL is the OpenID Connect JWKS URL
eg: https://www.googleapis.com/oauth2/v3/certs
emailClaimstringEmailClaim indicates which claim contains the user email,
default set to 'email'
groupsClaimstringGroupsClaim indicates which claim contains the user groups
default set to 'groups'
userIDClaimstringUserIDClaim indicates which claim contains the user ID
default set to 'email'

Provider​

(Appears on: Providers)

Provider holds all configuration for a single provider

FieldTypeDescription
clientIDstringClientID is the OAuth Client ID that is defined in the provider
This value is required for all providers.
clientSecretstringClientSecret is the OAuth Client Secret that is defined in the provider
This value is required for all providers.
clientSecretFilestringClientSecretFile is the name of the file
containing the OAuth Client Secret, it will be used if ClientSecret is not set.
keycloakConfigKeycloakOptionsKeycloakConfig holds all configurations for Keycloak provider.
azureConfigAzureOptionsAzureConfig holds all configurations for Azure provider.
ADFSConfigADFSOptionsADFSConfig holds all configurations for ADFS provider.
bitbucketConfigBitbucketOptionsBitbucketConfig holds all configurations for Bitbucket provider.
githubConfigGitHubOptionsGitHubConfig holds all configurations for GitHubC provider.
gitlabConfigGitLabOptionsGitLabConfig holds all configurations for GitLab provider.
googleConfigGoogleOptionsGoogleConfig holds all configurations for Google provider.
oidcConfigOIDCOptionsOIDCConfig holds all configurations for OIDC provider
or providers utilize OIDC configurations.
loginGovConfigLoginGovOptionsLoginGovConfig holds all configurations for LoginGov provider.
idstringID should be a unique identifier for the provider.
This value is required for all providers.
providerstringType is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default
namestringName is the providers display name
if set, it will be shown to the users in the login page.
caFiles[]stringCAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead
loginURLstringLoginURL is the authentication endpoint
redeemURLstringRedeemURL is the token redemption endpoint
profileURLstringProfileURL is the profile access endpoint
resourcestringProtectedResource is the resource that is protected (Azure AD and ADFS only)
validateURLstringValidateURL is the access token validation endpoint
scopestringScope is the OAuth scope specification
promptstringPrompt is OIDC prompt
approvalPromptstringApprovalPrompt is the OAuth approval_prompt
default is set to 'force'
allowedGroups[]stringAllowedGroups is a list of restrict logins to members of this group
acrValuesstringAcrValues is a string of acr values

Providers​

([]Provider alias)​

(Appears on: AlphaOptions)

Providers is a collection of definitions for providers.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/oauth_provider/index.html b/docs/7.2.x/configuration/oauth_provider/index.html index 77936687..b1f924c0 100644 --- a/docs/7.2.x/configuration/oauth_provider/index.html +++ b/docs/7.2.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/overview/index.html b/docs/7.2.x/configuration/overview/index.html index 920256a6..b5a9136f 100644 --- a/docs/7.2.x/configuration/overview/index.html +++ b/docs/7.2.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/session_storage/index.html b/docs/7.2.x/configuration/session_storage/index.html index 99291512..caf67d7c 100644 --- a/docs/7.2.x/configuration/session_storage/index.html +++ b/docs/7.2.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/tls/index.html b/docs/7.2.x/configuration/tls/index.html index b58712ba..41ba5ce3 100644 --- a/docs/7.2.x/configuration/tls/index.html +++ b/docs/7.2.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/features/endpoints/index.html b/docs/7.2.x/features/endpoints/index.html index 5866aa4e..f40c4c18 100644 --- a/docs/7.2.x/features/endpoints/index.html +++ b/docs/7.2.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.2.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/index.html b/docs/7.2.x/index.html index 493efb2c..4a6ac0bd 100644 --- a/docs/7.2.x/index.html +++ b/docs/7.2.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.2.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.2.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html index 92a62155..e3576be2 100644 --- a/docs/behaviour/index.html +++ b/docs/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.3.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/community/security/index.html b/docs/community/security/index.html index 1fc654f4..0b2da48e 100644 --- a/docs/community/security/index.html +++ b/docs/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html index e1873f36..6b3d1eeb 100644 --- a/docs/configuration/alpha-config/index.html +++ b/docs/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

FieldTypeDescription
valuestringA Value rule matches just this specific value
patternstringA Pattern rule gives a regular expression that must be matched by
some substring of the value. The expression is not automatically
anchored to the start and end of the value, if you want to restrict
the whole parameter value you must anchor it yourself with ^ and $.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.
timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
Defaults to 30 seconds.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html index 9b96610c..78ddfdc7 100644 --- a/docs/configuration/oauth_provider/index.html +++ b/docs/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html index 8572548a..cd9e9a21 100644 --- a/docs/configuration/overview/index.html +++ b/docs/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html index f54c1058..c40b3d2c 100644 --- a/docs/configuration/session_storage/index.html +++ b/docs/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2022 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html index f5d63df3..25dfecb3 100644 --- a/docs/configuration/tls/index.html +++ b/docs/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -19,7 +19,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html index 6afda345..30933f91 100644 --- a/docs/features/endpoints/index.html +++ b/docs/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.3.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/index.html b/docs/index.html index 69cced2f..8e207369 100644 --- a/docs/index.html +++ b/docs/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.3.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.3.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html index d3701ec7..33b4fe14 100644 --- a/docs/next/behaviour/index.html +++ b/docs/next/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: Next

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html index 3b8499f1..fbe095f6 100644 --- a/docs/next/community/security/index.html +++ b/docs/next/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html index 86ee5ab0..84c85076 100644 --- a/docs/next/configuration/alpha-config/index.html +++ b/docs/next/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html index dba0a220..15ac32a2 100644 --- a/docs/next/configuration/oauth_provider/index.html +++ b/docs/next/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html index debec698..05940461 100644 --- a/docs/next/configuration/overview/index.html +++ b/docs/next/configuration/overview/index.html @@ -5,12 +5,12 @@ Overview | OAuth2 Proxy - +
    -
    Version: Next

    Overview

    oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).

    To generate a strong cookie secret use one of the below commands:

    python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

    Config File​

    Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the config option should be plural (trailing s).

    An example oauth2-proxy.cfg config file is in the contrib directory. It can be used by specifying --config=/etc/oauth2-proxy.cfg

    Command Line Options​

    OptionTypeDescriptionDefault
    --acr-valuesstringoptional, see docs""
    --approval-promptstringOAuth approval_prompt"force"
    --auth-loggingboolLog authentication attemptstrue
    --auth-logging-formatstringTemplate for authentication log linessee Logging Configuration
    --authenticated-emails-filestringauthenticate against emails via file (one per line)
    --azure-tenantstringgo to a tenant-specific or common (tenant-independent) endpoint."common"
    --basic-auth-passwordstringthe password to set when passing the HTTP Basic Auth header
    --client-idstringthe OAuth Client ID, e.g. "123456.apps.googleusercontent.com"
    --client-secretstringthe OAuth Client Secret
    --client-secret-filestringthe file with OAuth Client Secret
    --code-challenge-methodstringuse PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended)
    --configstringpath to config file
    --cookie-domainstring | listOptional cookie domains to force cookies to (e.g. .yourcompany.com). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).
    --cookie-expiredurationexpire timeframe for cookie168h0m0s
    --cookie-httponlyboolset HttpOnly cookie flagtrue
    --cookie-namestringthe name of the cookie that the oauth_proxy creates. Should be changed to use a cookie prefix (__Host- or __Secure-) if --cookie-secure is set."_oauth2_proxy"
    --cookie-pathstringan optional cookie path to force cookies to (e.g. /poc/)"/"
    --cookie-refreshdurationrefresh the cookie after this duration; 0 to disable; not supported by all providers [1]
    --cookie-secretstringthe seed string for secure cookies (optionally base64 encoded)
    --cookie-secureboolset secure (HTTPS only) cookie flagtrue
    --cookie-samesitestringset SameSite cookie attribute ("lax", "strict", "none", or "").""
    --cookie-csrf-per-requestboolEnable having different CSRF cookies per request, making it possible to have parallel requests.false
    --cookie-csrf-expiredurationexpire timeframe for CSRF cookie15m
    --custom-templates-dirstringpath to custom html templates
    --custom-sign-in-logostringpath or a URL to an custom image for the sign_in page logo. Use \"-\" to disable default logo.
    --display-htpasswd-formbooldisplay username / password login form if an htpasswd file is providedtrue
    --email-domainstring | listauthenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
    --errors-to-info-logboolredirects error-level logging to default log channel instead of stderr
    --extra-jwt-issuersstringif --skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience (see a token's iss, aud fields) pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
    --exclude-logging-pathstringcomma separated list of paths to exclude from logging, e.g. "/ping,/path2""" (no paths excluded)
    --flush-intervaldurationperiod between flushing response buffers when streaming responses"1s"
    --force-httpsboolenforce https redirectfalse
    --force-json-errorsboolforce JSON errors instead of HTTP error pages or redirectsfalse
    --bannerstringcustom (html) banner string. Use "-" to disable default banner.
    --footerstringcustom (html) footer string. Use "-" to disable default footer.
    --github-orgstringrestrict logins to members of this organisation
    --github-teamstringrestrict logins to members of any of these teams (slug), separated by a comma
    --github-repostringrestrict logins to collaborators of this repository formatted as orgname/repo
    --github-tokenstringthe token to use when verifying repository collaborators (must have push access to the repository)
    --github-userstring | listTo allow users to login by username even if they do not belong to the specified org and team or collaborators
    --gitlab-groupstring | listrestrict logins to members of any of these groups (slug), separated by a comma
    --gitlab-projectsstring | listrestrict logins to members of any of these projects (may be given multiple times) formatted as orgname/repo=accesslevel. Access level should be a value matching Gitlab access levels, defaulted to 20 if absent
    --google-admin-emailstringthe google admin to impersonate for api calls
    --google-groupstringrestrict logins to members of this google group (may be given multiple times).
    --google-service-account-jsonstringthe path to the service account json credentials
    --htpasswd-filestringadditionally authenticate against a htpasswd file. Entries must be created with htpasswd -B for bcrypt encryption
    --htpasswd-user-groupstring | listthe groups to be set on sessions for htpasswd users
    --http-addressstring[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. http://[::1]:4180"127.0.0.1:4180"
    --https-addressstring[https://]<addr>:<port> to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. https://[::1]:443":443"
    --logging-compressboolShould rotated log files be compressed using gzipfalse
    --logging-filenamestringFile to log requests to, empty for stdout"" (stdout)
    --logging-local-timeboolUse local time in log files and backup filenames instead of UTCtrue (local time)
    --logging-max-ageintMaximum number of days to retain old log files7
    --logging-max-backupsintMaximum number of old log files to retain; 0 to disable0
    --logging-max-sizeintMaximum size in megabytes of the log file before rotation100
    --jwt-keystringprivate key in PEM format used to sign JWT, so that you can say something like --jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
    --jwt-key-filestringpath to the private key file in PEM format used to sign the JWT so that you can say something like --jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
    --login-urlstringAuthentication endpoint
    --insecure-oidc-allow-unverified-emailbooldon't fail if an email address in an id_token is not verifiedfalse
    --insecure-oidc-skip-issuer-verificationboolallow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)false
    --insecure-oidc-skip-nonceboolskip verifying the OIDC ID Token's nonce claimtrue
    --oidc-issuer-urlstringthe OpenID Connect issuer URL, e.g. "https://accounts.google.com"
    --oidc-jwks-urlstringOIDC JWKS URI for token verification; required if OIDC discovery is disabled
    --oidc-email-claimstringwhich OIDC claim contains the user's email"email"
    --oidc-groups-claimstringwhich OIDC claim contains the user groups"groups"
    --oidc-audience-claimstringwhich OIDC claim contains the audience"aud"
    --oidc-extra-audiencestring | listadditional audiences which are allowed to pass verification"[]"
    --pass-access-tokenboolpass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the responsefalse
    --pass-authorization-headerboolpass OIDC IDToken to upstream via Authorization Bearer headerfalse
    --pass-basic-authboolpass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue
    --prefer-email-to-userboolPrefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with --pass-basic-auth and --pass-user-headersfalse
    --pass-host-headerboolpass the request Host Header to upstreamtrue
    --pass-user-headersboolpass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue
    --profile-urlstringProfile access endpoint
    --promptstringOIDC prompt; if present, approval-prompt is ignored""
    --providerstringOAuth providergoogle
    --provider-ca-filestring | listPaths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.
    --provider-display-namestringOverride the provider's name with the given string; used for the sign-in page(depends on provider)
    --ping-pathstringthe ping endpoint that can be used for basic health checks"/ping"
    --ping-user-agentstringa User-Agent that can be used for basic health checks"" (don't check user agent)
    --metrics-addressstringthe address prometheus metrics will be scraped from""
    --proxy-prefixstringthe url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)"/oauth2"
    --proxy-websocketsboolenables WebSocket proxyingtrue
    --pubjwk-urlstringJWK pubkey access endpoint: required by login.gov
    --real-client-ip-headerstringHeader used to determine the real IP of the client, requires --reverse-proxy to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)X-Real-IP
    --redeem-urlstringToken redemption endpoint
    --redirect-urlstringthe OAuth Redirect URL, e.g. "https://internalapp.yourcompany.com/oauth2/callback"
    --redis-cluster-connection-urlsstring | listList of Redis cluster connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster
    --redis-connection-urlstringURL of redis server for redis session storage (e.g. redis://HOST[:PORT])
    --redis-passwordstringRedis password. Applicable for all Redis configurations. Will override any password set in --redis-connection-url
    --redis-sentinel-passwordstringRedis sentinel password. Used only for sentinel connection; any redis node passwords need to use --redis-password
    --redis-sentinel-master-namestringRedis sentinel master name. Used in conjunction with --redis-use-sentinel
    --redis-sentinel-connection-urlsstring | listList of Redis sentinel connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel
    --redis-use-clusterboolConnect to redis cluster. Must set --redis-cluster-connection-urls to use this featurefalse
    --redis-use-sentinelboolConnect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this featurefalse
    --redis-connection-idle-timeoutintRedis connection idle timeout seconds. If Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. Exmpale: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=140
    --request-id-headerstringRequest header to use as the request ID in loggingX-Request-Id
    --request-loggingboolLog requeststrue
    --request-logging-formatstringTemplate for request log linessee Logging Configuration
    --resourcestringThe resource that is protected (Azure AD only)
    --reverse-proxyboolare we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selectionfalse
    --scopestringOAuth scope specification
    --session-cookie-minimalboolstrip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)false
    --session-store-typestringSession data storage backend; redis or cookiecookie
    --set-xauthrequestboolset X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with --pass-access-token, X-Auth-Request-Access-Token is added to response headers.false
    --set-authorization-headerboolset Authorization Bearer response header (useful in Nginx auth_request mode)false
    --set-basic-authboolset HTTP Basic Auth information in response (useful in Nginx auth_request mode)false
    --show-debug-on-errorboolshow detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)false
    --signature-keystringGAP-Signature request signature key (algorithm:secretkey)
    --silence-ping-loggingbooldisable logging of requests to ping endpointfalse
    --skip-auth-preflightboolwill skip authentication for OPTIONS requestsfalse
    --skip-auth-regexstring | list(DEPRECATED for --skip-auth-route) bypass authentication for requests paths that match (may be given multiple times)
    --skip-auth-routestring | listbypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex
    --skip-auth-strip-headersboolstrips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxytrue
    --skip-jwt-bearer-tokensboolwill skip requests that have verified JWT bearer tokens (the token must have aud that matches this client id or one of the extras from extra-jwt-issuers)false
    --skip-oidc-discoveryboolbypass OIDC endpoint discovery. --login-url, --redeem-url and --oidc-jwks-url must be configured in this casefalse
    --skip-provider-buttonboolwill skip sign-in-page to directly reach the next step: oauth/startfalse
    --ssl-insecure-skip-verifyboolskip validation of certificates presented when using HTTPS providersfalse
    --ssl-upstream-insecure-skip-verifyboolskip validation of certificates presented when using HTTPS upstreamsfalse
    --standard-loggingboolLog standard runtime informationtrue
    --standard-logging-formatstringTemplate for standard log linessee Logging Configuration
    --tls-cert-filestringpath to certificate file
    --tls-cipher-suitestring | listRestricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the crypto/tls documentation.
    --tls-key-filestringpath to private key file
    --tls-min-versionstringminimum TLS version that is acceptable, either "TLS1.2" or "TLS1.3""TLS1.2"
    --upstreamstring | listthe http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path
    --upstream-timeoutdurationmaximum amount of time the server will wait for a response from the upstream30s
    --allowed-groupstring | listrestrict logins to members of this group (may be given multiple times)
    --allowed-rolestring | listrestrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.
    --validate-urlstringAccess token validation endpoint
    --versionn/aprint version string
    --whitelist-domainstring | listallowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains (e.g. .example.com, *.example.com) [2]
    --trusted-ipstring | listlist of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with --reverse-proxy and optionally --real-client-ip-header this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them.

    [1]: Only these providers support --cookie-refresh: GitLab, Google and OIDC

    [2]: When using the whitelist-domain option, any domain prefixed with a . or a *. will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: example.com:8080. To allow any port, use *: example.com:*.

    See below for provider specific options

    Upstreams Configuration​

    oauth2-proxy supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as http://127.0.0.1:8080/ for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide http://127.0.0.1:8080/some/path/ then it will only be requests that start with /some/path/ which are forwarded to the upstream.

    Static file paths are configured as a file:// URL. file:///var/www/static/ will serve the files from that directory at http://[oauth2-proxy url]/var/www/static/, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. file:///var/www/static/#/static/ will make /var/www/static/ available at http://[oauth2-proxy url]/static/.

    Multiple upstreams can either be configured by supplying a comma separated list to the --upstream parameter, supplying the parameter multiple times or providing a list in the config file. When multiple upstreams are used routing to them will be based on the path they are set up with.

    Environment variables​

    Every command line argument can be specified as an environment variable by +

    Version: Next

    Overview

    oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).

    To generate a strong cookie secret use one of the below commands:

    python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

    Config File​

    Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the config option should be plural (trailing s).

    An example oauth2-proxy.cfg config file is in the contrib directory. It can be used by specifying --config=/etc/oauth2-proxy.cfg

    Command Line Options​

    OptionTypeDescriptionDefault
    --acr-valuesstringoptional, see docs""
    --api-routestring | listreturn HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex
    --approval-promptstringOAuth approval_prompt"force"
    --auth-loggingboolLog authentication attemptstrue
    --auth-logging-formatstringTemplate for authentication log linessee Logging Configuration
    --authenticated-emails-filestringauthenticate against emails via file (one per line)
    --azure-tenantstringgo to a tenant-specific or common (tenant-independent) endpoint."common"
    --basic-auth-passwordstringthe password to set when passing the HTTP Basic Auth header
    --client-idstringthe OAuth Client ID, e.g. "123456.apps.googleusercontent.com"
    --client-secretstringthe OAuth Client Secret
    --client-secret-filestringthe file with OAuth Client Secret
    --code-challenge-methodstringuse PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended)
    --configstringpath to config file
    --cookie-domainstring | listOptional cookie domains to force cookies to (e.g. .yourcompany.com). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).
    --cookie-expiredurationexpire timeframe for cookie168h0m0s
    --cookie-httponlyboolset HttpOnly cookie flagtrue
    --cookie-namestringthe name of the cookie that the oauth_proxy creates. Should be changed to use a cookie prefix (__Host- or __Secure-) if --cookie-secure is set."_oauth2_proxy"
    --cookie-pathstringan optional cookie path to force cookies to (e.g. /poc/)"/"
    --cookie-refreshdurationrefresh the cookie after this duration; 0 to disable; not supported by all providers [1]
    --cookie-secretstringthe seed string for secure cookies (optionally base64 encoded)
    --cookie-secureboolset secure (HTTPS only) cookie flagtrue
    --cookie-samesitestringset SameSite cookie attribute ("lax", "strict", "none", or "").""
    --cookie-csrf-per-requestboolEnable having different CSRF cookies per request, making it possible to have parallel requests.false
    --cookie-csrf-expiredurationexpire timeframe for CSRF cookie15m
    --custom-templates-dirstringpath to custom html templates
    --custom-sign-in-logostringpath or a URL to an custom image for the sign_in page logo. Use \"-\" to disable default logo.
    --display-htpasswd-formbooldisplay username / password login form if an htpasswd file is providedtrue
    --email-domainstring | listauthenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
    --errors-to-info-logboolredirects error-level logging to default log channel instead of stderr
    --extra-jwt-issuersstringif --skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience (see a token's iss, aud fields) pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
    --exclude-logging-pathstringcomma separated list of paths to exclude from logging, e.g. "/ping,/path2""" (no paths excluded)
    --flush-intervaldurationperiod between flushing response buffers when streaming responses"1s"
    --force-httpsboolenforce https redirectfalse
    --force-json-errorsboolforce JSON errors instead of HTTP error pages or redirectsfalse
    --bannerstringcustom (html) banner string. Use "-" to disable default banner.
    --footerstringcustom (html) footer string. Use "-" to disable default footer.
    --github-orgstringrestrict logins to members of this organisation
    --github-teamstringrestrict logins to members of any of these teams (slug), separated by a comma
    --github-repostringrestrict logins to collaborators of this repository formatted as orgname/repo
    --github-tokenstringthe token to use when verifying repository collaborators (must have push access to the repository)
    --github-userstring | listTo allow users to login by username even if they do not belong to the specified org and team or collaborators
    --gitlab-groupstring | listrestrict logins to members of any of these groups (slug), separated by a comma
    --gitlab-projectsstring | listrestrict logins to members of any of these projects (may be given multiple times) formatted as orgname/repo=accesslevel. Access level should be a value matching Gitlab access levels, defaulted to 20 if absent
    --google-admin-emailstringthe google admin to impersonate for api calls
    --google-groupstringrestrict logins to members of this google group (may be given multiple times).
    --google-service-account-jsonstringthe path to the service account json credentials
    --htpasswd-filestringadditionally authenticate against a htpasswd file. Entries must be created with htpasswd -B for bcrypt encryption
    --htpasswd-user-groupstring | listthe groups to be set on sessions for htpasswd users
    --http-addressstring[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. http://[::1]:4180"127.0.0.1:4180"
    --https-addressstring[https://]<addr>:<port> to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. https://[::1]:443":443"
    --logging-compressboolShould rotated log files be compressed using gzipfalse
    --logging-filenamestringFile to log requests to, empty for stdout"" (stdout)
    --logging-local-timeboolUse local time in log files and backup filenames instead of UTCtrue (local time)
    --logging-max-ageintMaximum number of days to retain old log files7
    --logging-max-backupsintMaximum number of old log files to retain; 0 to disable0
    --logging-max-sizeintMaximum size in megabytes of the log file before rotation100
    --jwt-keystringprivate key in PEM format used to sign JWT, so that you can say something like --jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
    --jwt-key-filestringpath to the private key file in PEM format used to sign the JWT so that you can say something like --jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
    --login-urlstringAuthentication endpoint
    --insecure-oidc-allow-unverified-emailbooldon't fail if an email address in an id_token is not verifiedfalse
    --insecure-oidc-skip-issuer-verificationboolallow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)false
    --insecure-oidc-skip-nonceboolskip verifying the OIDC ID Token's nonce claimtrue
    --oidc-issuer-urlstringthe OpenID Connect issuer URL, e.g. "https://accounts.google.com"
    --oidc-jwks-urlstringOIDC JWKS URI for token verification; required if OIDC discovery is disabled
    --oidc-email-claimstringwhich OIDC claim contains the user's email"email"
    --oidc-groups-claimstringwhich OIDC claim contains the user groups"groups"
    --oidc-audience-claimstringwhich OIDC claim contains the audience"aud"
    --oidc-extra-audiencestring | listadditional audiences which are allowed to pass verification"[]"
    --pass-access-tokenboolpass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the responsefalse
    --pass-authorization-headerboolpass OIDC IDToken to upstream via Authorization Bearer headerfalse
    --pass-basic-authboolpass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue
    --prefer-email-to-userboolPrefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with --pass-basic-auth and --pass-user-headersfalse
    --pass-host-headerboolpass the request Host Header to upstreamtrue
    --pass-user-headersboolpass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue
    --profile-urlstringProfile access endpoint
    --promptstringOIDC prompt; if present, approval-prompt is ignored""
    --providerstringOAuth providergoogle
    --provider-ca-filestring | listPaths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.
    --provider-display-namestringOverride the provider's name with the given string; used for the sign-in page(depends on provider)
    --ping-pathstringthe ping endpoint that can be used for basic health checks"/ping"
    --ping-user-agentstringa User-Agent that can be used for basic health checks"" (don't check user agent)
    --metrics-addressstringthe address prometheus metrics will be scraped from""
    --proxy-prefixstringthe url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)"/oauth2"
    --proxy-websocketsboolenables WebSocket proxyingtrue
    --pubjwk-urlstringJWK pubkey access endpoint: required by login.gov
    --real-client-ip-headerstringHeader used to determine the real IP of the client, requires --reverse-proxy to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)X-Real-IP
    --redeem-urlstringToken redemption endpoint
    --redirect-urlstringthe OAuth Redirect URL, e.g. "https://internalapp.yourcompany.com/oauth2/callback"
    --redis-cluster-connection-urlsstring | listList of Redis cluster connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster
    --redis-connection-urlstringURL of redis server for redis session storage (e.g. redis://HOST[:PORT])
    --redis-passwordstringRedis password. Applicable for all Redis configurations. Will override any password set in --redis-connection-url
    --redis-sentinel-passwordstringRedis sentinel password. Used only for sentinel connection; any redis node passwords need to use --redis-password
    --redis-sentinel-master-namestringRedis sentinel master name. Used in conjunction with --redis-use-sentinel
    --redis-sentinel-connection-urlsstring | listList of Redis sentinel connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel
    --redis-use-clusterboolConnect to redis cluster. Must set --redis-cluster-connection-urls to use this featurefalse
    --redis-use-sentinelboolConnect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this featurefalse
    --redis-connection-idle-timeoutintRedis connection idle timeout seconds. If Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. Exmpale: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=140
    --request-id-headerstringRequest header to use as the request ID in loggingX-Request-Id
    --request-loggingboolLog requeststrue
    --request-logging-formatstringTemplate for request log linessee Logging Configuration
    --resourcestringThe resource that is protected (Azure AD only)
    --reverse-proxyboolare we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selectionfalse
    --scopestringOAuth scope specification
    --session-cookie-minimalboolstrip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)false
    --session-store-typestringSession data storage backend; redis or cookiecookie
    --set-xauthrequestboolset X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with --pass-access-token, X-Auth-Request-Access-Token is added to response headers.false
    --set-authorization-headerboolset Authorization Bearer response header (useful in Nginx auth_request mode)false
    --set-basic-authboolset HTTP Basic Auth information in response (useful in Nginx auth_request mode)false
    --show-debug-on-errorboolshow detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)false
    --signature-keystringGAP-Signature request signature key (algorithm:secretkey)
    --silence-ping-loggingbooldisable logging of requests to ping endpointfalse
    --skip-auth-preflightboolwill skip authentication for OPTIONS requestsfalse
    --skip-auth-regexstring | list(DEPRECATED for --skip-auth-route) bypass authentication for requests paths that match (may be given multiple times)
    --skip-auth-routestring | listbypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex
    --skip-auth-strip-headersboolstrips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxytrue
    --skip-jwt-bearer-tokensboolwill skip requests that have verified JWT bearer tokens (the token must have aud that matches this client id or one of the extras from extra-jwt-issuers)false
    --skip-oidc-discoveryboolbypass OIDC endpoint discovery. --login-url, --redeem-url and --oidc-jwks-url must be configured in this casefalse
    --skip-provider-buttonboolwill skip sign-in-page to directly reach the next step: oauth/startfalse
    --ssl-insecure-skip-verifyboolskip validation of certificates presented when using HTTPS providersfalse
    --ssl-upstream-insecure-skip-verifyboolskip validation of certificates presented when using HTTPS upstreamsfalse
    --standard-loggingboolLog standard runtime informationtrue
    --standard-logging-formatstringTemplate for standard log linessee Logging Configuration
    --tls-cert-filestringpath to certificate file
    --tls-cipher-suitestring | listRestricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the crypto/tls documentation.
    --tls-key-filestringpath to private key file
    --tls-min-versionstringminimum TLS version that is acceptable, either "TLS1.2" or "TLS1.3""TLS1.2"
    --upstreamstring | listthe http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path
    --upstream-timeoutdurationmaximum amount of time the server will wait for a response from the upstream30s
    --allowed-groupstring | listrestrict logins to members of this group (may be given multiple times)
    --allowed-rolestring | listrestrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.
    --validate-urlstringAccess token validation endpoint
    --versionn/aprint version string
    --whitelist-domainstring | listallowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains (e.g. .example.com, *.example.com) [2]
    --trusted-ipstring | listlist of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with --reverse-proxy and optionally --real-client-ip-header this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them.

    [1]: Only these providers support --cookie-refresh: GitLab, Google and OIDC

    [2]: When using the whitelist-domain option, any domain prefixed with a . or a *. will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: example.com:8080. To allow any port, use *: example.com:*.

    See below for provider specific options

    Upstreams Configuration​

    oauth2-proxy supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as http://127.0.0.1:8080/ for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide http://127.0.0.1:8080/some/path/ then it will only be requests that start with /some/path/ which are forwarded to the upstream.

    Static file paths are configured as a file:// URL. file:///var/www/static/ will serve the files from that directory at http://[oauth2-proxy url]/var/www/static/, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. file:///var/www/static/#/static/ will make /var/www/static/ available at http://[oauth2-proxy url]/static/.

    Multiple upstreams can either be configured by supplying a comma separated list to the --upstream parameter, supplying the parameter multiple times or providing a list in the config file. When multiple upstreams are used routing to them will be based on the path they are set up with.

    Environment variables​

    Every command line argument can be specified as an environment variable by prefixing it with OAUTH2_PROXY_, capitalising it, and replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the environment variable should be plural (trailing S).

    This is particularly useful for storing secrets outside of a configuration file @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html index 3eddac9e..35b887fd 100644 --- a/docs/next/configuration/session_storage/index.html +++ b/docs/next/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -28,7 +28,7 @@ and --redis-sentinel-connection-urls appropriately.

    Redis Clu --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html index 0a258aa8..523ea458 100644 --- a/docs/next/configuration/tls/index.html +++ b/docs/next/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html index 39d2f326..9f5daab7 100644 --- a/docs/next/features/endpoints/index.html +++ b/docs/next/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: Next

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/index.html b/docs/next/index.html index 6878ff24..3fb27e85 100644 --- a/docs/next/index.html +++ b/docs/next/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: Next

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.3.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/index.html b/index.html index bc11c171..1e2ccc0a 100644 --- a/index.html +++ b/index.html @@ -5,7 +5,7 @@ Welcome to OAuth2 Proxy | OAuth2 Proxy - + @@ -14,7 +14,7 @@ to validate accounts by email, domain or group.

    note

    This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.

    Sign In Page

    Architecture​

    OAuth2 Proxy Architecture

    Copyright © 2022 OAuth2 Proxy.
    - + \ No newline at end of file