* Implements --ip-whitelist option
* Included IPWhitelist option to allow one-or-more selected CIDR ranges
to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.
* Renamed IPWhitelist ipCIDRSet
* Fixed unessesary pointer usage in ipCIDRSet
* Update CHANGELOG.md
* Update CHANGELOG.md
* Updated to not use err.Error() in printf statements
* Imrpoved language for --ip-whitelist descriptions.
* Improve IP whitelist options error messages
* Clarify options single-host normalization
* Wrote a book about ipCIDRSet
* Added comment to IsWhitelistedIP in oauthproxy.go
* Rewrite oauthproxy test case as table driven
* oops
* Support whitelisting by low-level remote address
* Added more test-cases, improved descriptions
* Move ip_cidr_set.go to pkg/ip/net_set.go
* Add more whitelist test use cases.
* Oops
* Use subtests for TestIPWhitelist
* Add minimal tests for ip.NetSet
* Use switch statment
* Renamed ip-whitelist to whitelist-ip
* Update documentation with a warning.
* Update pkg/apis/options/options.go
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix fmt
* Move ParseIPNet into abstraction
* Add warning in case of --reverse-proxy
* Update pkg/validation/options_test.go
* Rename --whitelist-ip to --trusted-ip
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Adding one more example - keycloak - alongside with dex IDP.
* don't expose keycloak and proxy ports to the host
* specify email-domain list option in documentation
* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390
* get rid of the scripts - use static file for keycloak startup
* changelog entry
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Implements -real-client-ip-header option.
* The -real-client-ip-header determines what HTTP header is used for
determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
header.
* Corrected order of expected/actual in test cases
* Improved error message in getRemoteIP
* Add tests for getRemoteIP and getClientString
* Add comment explaining splitting of header
* Update documentation on -real-client-ip-header w/o -reverse-proxy
* Add PR number in changelog.
* Fix typo repeated word: "it"
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update extended configuration language
* Simplify the language around dependance on -reverse-proxy
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Added completions
* Reorder real client IP header options
* Update CHANGELOG.md
* Apply suggestions from code review
Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
* Extend the redis session store to support redis cluster
* rename function newRedisClient to newRedisCmdable
* update docs about redis cluster as session store
* update autocomplete script with redis cluster options
* add check about conflict between option redis-use-sentinel and redis-use-cluster
* update change log
* Update docs/configuration/sessions.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/sessions/redis/redis_store.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* add the dropped option back
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.
Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.
See: https://www.owasp.org/index.php/SameSite
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
to control whether X-Forwarded-User and X-Forwarded-Email
headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
X-Forwarded-User is needed but HTTP BASIC auth fails
(password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility
[1] http://docs.grafana.org/installation/configuration/#authproxy
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
