go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-02-21 19:48:46 +02:00
Code Issues Releases Activity

doc: add example for caddy v2 forward_auth (#2759)

Browse Source 
---------

Co-authored-by: Denis Dabischa <34655672+dabde@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
dabde 2024-09-23 16:34:08 +02:00 committed by GitHub
parent bc034454f6
commit fff5dd358f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/docs/configuration/integration.md
View File

@ -265,6 +265,42 @@ http:
- Authorization
```
## Configuring for use with the caddy v2 `forward_auth` directive
The [Caddy `forward_auth` directive](https://caddyserver.com/docs/caddyfile/directives/forward_auth) allows Caddy to authenticate requests via the `oauth2-proxy`'s `/auth`.
This example is for a simple reverse proxy setup where the `/oauth2/` path is kept under the same domain and failed auth requests (401 status returned) will be caught and redirected to the `sign_in` endpoint.
**Following options need to be set on `oauth2-proxy`:**
- `--reverse-proxy=true`: Enables the use of `X-Forwarded-*` headers to determine redirects correctly
```nginx
{{ domain }} {
# define forward auth for any path under `/`, if not more specific defined
forward_auth / {{ oauth.internalIP }}:4180 {
uri /oauth2/auth
copy_headers Authorization X-Auth-Request-User X-Auth-Request-Email
@error status 401
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri} 302
}
}
# define `/oauth2/*` as specific endpoint, to avoid forward auth protection to be able to use service
reverse_proxy /oauth2/* {{ oauth.internalIP }}:4180 {
header_up X-Real-IP {remote}
header_up X-Forwarded-Proto https
}
# unspecific reverse proxy will be protected from `forward_auth /`
reverse_proxy {{ endpointIP }} {
header_up X-Real-IP {remote}
header_up X-Forwarded-Proto https
}
}
```
:::note
If you set up your OAuth2 provider to rotate your client secret, you can use the `client-secret-file` option to reload the secret when it is updated.
:::

36
docs/versioned_docs/version-7.6.x/configuration/integration.md
View File

@ -265,6 +265,42 @@ http:
- Authorization
```
## Configuring for use with the caddy v2 `forward_auth` directive
The [Caddy `forward_auth` directive](https://caddyserver.com/docs/caddyfile/directives/forward_auth) allows Caddy to authenticate requests via the `oauth2-proxy`'s `/auth`.
This example is for a simple reverse proxy setup where the `/oauth2/` path is kept under the same domain and failed auth requests (401 status returned) will be caught and redirected to the `sign_in` endpoint.
**Following options need to be set on `oauth2-proxy`:**
- `--reverse-proxy=true`: Enables the use of `X-Forwarded-*` headers to determine redirects correctly
```nginx
{{ domain }} {
# define forward auth for any path under `/`, if not more specific defined
forward_auth / {{ oauth.internalIP }}:4180 {
uri /oauth2/auth
copy_headers Authorization X-Auth-Request-User X-Auth-Request-Email
@error status 401
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri} 302
}
}
# define `/oauth2/*` as specific endpoint, to avoid forward auth protection to be able to use service
reverse_proxy /oauth2/* {{ oauth.internalIP }}:4180 {
header_up X-Real-IP {remote}
header_up X-Forwarded-Proto https
}
# unspecific reverse proxy will be protected from `forward_auth /`
reverse_proxy {{ endpointIP }} {
header_up X-Real-IP {remote}
header_up X-Forwarded-Proto https
}
}
```
:::note
If you set up your OAuth2 provider to rotate your client secret, you can use the `client-secret-file` option to reload the secret when it is updated.
:::