## OAuth2 Proxy Config File ## https://github.com/oauth2-proxy/oauth2-proxy ## : to listen on for HTTP/HTTPS clients # http_address = "127.0.0.1:4180" # https_address = ":443" ## Are we running behind a reverse proxy? Will not accept headers like X-Real-Ip unless this is set. # reverse_proxy = true ## TLS Settings # tls_cert_file = "" # tls_key_file = "" ## the OAuth Redirect URL. # defaults to the "https://" + requested host header + "/oauth2/callback" # redirect_url = "https://internalapp.yourcompany.com/oauth2/callback" ## the http url(s) of the upstream endpoint. If multiple, routing is based on path # upstreams = [ # "http://127.0.0.1:8080/" # ] ## Logging configuration #logging_filename = "" #logging_max_size = 100 #logging_max_age = 7 #logging_local_time = true #logging_compress = false #standard_logging = true #standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}" #request_logging = true #request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}" #auth_logging = true #auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}" ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream # pass_basic_auth = true # pass_user_headers = true ## pass the request Host Header to upstream ## when disabled the upstream Host is used as the Host Header # pass_host_header = true ## Email Domains to allow authentication for (this authorizes any email on this domain) ## for more granular authorization use `authenticated_emails_file` ## To authorize any email addresses use "*" # email_domains = [ # "yourcompany.com" # ] ## The OAuth Client ID, Secret # client_id = "123456.apps.googleusercontent.com" # client_secret = "" ## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token" # pass_access_token = false ## Authenticated Email Addresses File (one email per line) # authenticated_emails_file = "" ## Htpasswd File (optional) ## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption ## enabling exposes a username/login signin form # htpasswd_file = "" ## bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods # skip_auth_routes = [ # "GET=^/probe", # "^/metrics" # ] ## mark paths as API routes to get HTTP Status code 401 instead of redirect to login page # api_routes = [ # "^/api # ] ## Templates ## optional directory with custom sign_in.html and error.html # custom_templates_dir = "" ## skip SSL checking for HTTPS requests # ssl_insecure_skip_verify = false ## Cookie Settings ## Name - the cookie name ## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes ## for use with an AES cipher when cookie_refresh or pass_access_token ## is set ## Domain - (optional) cookie domain to force cookies to (ie: .yourcompany.com) ## Expire - (duration) expire timeframe for cookie ## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set. ## Should be less than cookie_expire; set to 0 to disable. ## On refresh, OAuth token is re-validated. ## (ie: 1h means tokens are refreshed on request 1hr+ after it was set) ## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended) ## HttpOnly - httponly cookies are not readable by javascript (recommended) # cookie_name = "_oauth2_proxy" # cookie_secret = "" # cookie_domains = "" # cookie_expire = "168h" # cookie_refresh = "" # cookie_secure = true # cookie_httponly = true