H1net
a4d89036ec
* fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net <ben@freshdevs.com> * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: h1net <ben@freshdevs.com> * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: h1net <ben@freshdevs.com> Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
1.6 KiB
id, title
| id | title |
|---|---|
| systemd_socket | Systemd Socket Activation |
Pass an existing listener created by systemd.socket to oauth2-proxy.
To do this create a socket:
oauth2-proxy.socket
[Socket]
ListenStream=%t/oauth2.sock
SocketGroup=www-data
SocketMode=0660
Now it's possible to call this socket from e.g. nginx:
server {
location /oauth2/ {
proxy_pass http://unix:/run/oauth2-proxy/oauth2.sock;
}
The oauth2-proxy should have --http-address=fd:3 as a parameter.
Here fd is case insensitive and means file descriptor. The number 3 refers to the first non-stdin/stdout/stderr file descriptor,
systemd-socket-activate (which is what systemd.socket uses), listens to what it is told and passes
the listener it created onto the process, starting with file descriptor 3.
./oauth2-proxy \
--http-address="fd:3" \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=...
Trusted IPs
When listening on a Unix socket, Go sets http.Request.RemoteAddr to "@" instead of the usual "host:port" format. This means there is no client IP available from the connection itself.
As a result, --trusted-ip entries cannot match against the direct connection address for Unix socket listeners. Requests arriving over a Unix socket will never be considered "trusted" based on their RemoteAddr. IP-based trust decisions will still work if a trusted reverse proxy sets X-Forwarded-For or X-Real-IP headers and --reverse-proxy=true is configured.
TLS
Currently TLS is not supported (but it's doable).