go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Code Issues Releases Activity

Add option to specify the tls-min-version for the server

Browse Source
This commit is contained in:
polarctos
2021-12-17 00:01:32 +01:00
parent 11699a822a
commit e03cf87dd8
8 changed files with 93 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/docs/configuration/alpha_config.md
View File

@ -349,18 +349,20 @@ Server represents the configuration for an HTTP(S) server
| ----- | ---- | ----------- |
| `BindAddress` | _string_ | BindAddress is the address on which to serve traffic.<br/>Leave blank or set to "-" to disable. |
| `SecureBindAddress` | _string_ | SecureBindAddress is the address on which to serve secure traffic.<br/>Leave blank or set to "-" to disable. |
| `TLS` | _[TLS](#tls)_ | TLS contains the information for loading the certificate and key for the<br/>secure traffic. |
| `TLS` | _[TLS](#tls)_ | TLS contains the information for loading the certificate and key for the<br/>secure traffic and further configuration for the TLS server. |
### TLS
(**Appears on:** [Server](#server))
TLS contains the information for loading a TLS certifcate and key.
TLS contains the information for loading a TLS certificate and key
as well as an optional minimal TLS version that is acceptable.
| Field | Type | Description |
| ----- | ---- | ----------- |
| `Key` | _[SecretSource](#secretsource)_ | Key is the TLS key data to use.<br/>Typically this will come from a file. |
| `Cert` | _[SecretSource](#secretsource)_ | Cert is the TLS certificate data to use.<br/>Typically this will come from a file. |
| `MinVersion` | _string_ | MinVersion is the minimal TLS version that is acceptable.<br/>E.g. Set to "TLS1.3" to select TLS version 1.3 |
### Upstream

1
docs/docs/configuration/overview.md
View File

@ -191,6 +191,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
| `--standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) |
| `--tls-cert-file` | string | path to certificate file | |
| `--tls-key-file` | string | path to private key file | |
| `--tls-min-version` | string | minimum TLS version that is acceptable, either `"TLS1.2"` or `"TLS1.3"` | `"TLS1.2"` |
| `--upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://<status_code>` for static response. Routing is based on the path | |
| `--allowed-group` | string \| list | restrict logins to members of this group (may be given multiple times) | |
| `--allowed-role` | string \| list | restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider. | |

21
docs/docs/configuration/tls.md
View File

@ -3,7 +3,11 @@ id: tls
title: TLS Configuration
---
There are two recommended configurations.
There are two recommended configurations:
- [At OAuth2 Proxy](#terminate-tls-at-oauth2-proxy)
- [At Reverse Proxy](#terminate-tls-at-reverse-proxy-eg-nginx)
### Terminate TLS at OAuth2 Proxy
1. Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert-file=/path/to/cert.pem` and `--tls-key-file=/path/to/cert.key`.
@ -22,7 +26,18 @@ There are two recommended configurations.
--client-secret=...
```
2. Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
2. With this configuration approach the customization of the TLS settings is limited.
The minimal acceptable TLS version can be set with `--tls-min-version=TLS1.3`.
The defaults set `TLS1.2` as the minimal version.
Regardless of the minimum version configured, `TLS1.3` is currently always used as the maximal version.
The server side cipher suites are the defaults from [`crypto/tls`](https://pkg.go.dev/crypto/tls#CipherSuites) of
the currently used `go` version for building `oauth2-proxy`.
### Terminate TLS at Reverse Proxy, e.g. Nginx
1. Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...
Because `oauth2-proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an
external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or
@ -55,7 +70,7 @@ There are two recommended configurations.
}
```
The command line to run `oauth2-proxy` in this configuration would look like this:
2. The command line to run `oauth2-proxy` in this configuration would look like this:
```bash
./oauth2-proxy \