go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-04-23 12:18:50 +02:00
Code Issues Releases Activity
oauth2-proxy/docs/next/configuration/tls/index.html

39 lines
21 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
<link rel="preload" href="/oauth2-proxy/runtime~main.9d9b6207.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.cbf36231.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.f1e55c3c.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.aa6394ae.js" as="script">
<link rel="preload" href="/oauth2-proxy/48.92c41b73.js" as="script">
<link rel="preload" href="/oauth2-proxy/50.68e502a3.js" as="script">
<link rel="preload" href="/oauth2-proxy/935f2afb.eb0b0bdd.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.687011d6.js" as="script">
<link rel="preload" href="/oauth2-proxy/585bdad0.ec28c751.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/tls">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/configuration/tls">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/tls">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/configuration/tls">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/configuration/tls">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/configuration/tls">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/configuration/tls">latest version</a></strong> (7.1.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">TLS Configuration</h1></header><div class="markdown"><p>There are two recommended configurations.</p><ol><li><p>Configure SSL Termination with OAuth2 Proxy by providing a <code>--tls-cert-file=/path/to/cert.pem</code> and <code>--tls-key-file=/path/to/cert.key</code>.</p><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --tls-cert-file</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">/path/to/cert.pem </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --tls-key-file</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">/path/to/cert.key </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li><li><p>Configure SSL Termination with <a href="http://nginx.org/" target="_blank" rel="noopener noreferrer">Nginx</a> (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....</p><p>Because <code>oauth2-proxy</code> listens on <code>127.0.0.1:4180</code> by default, to listen on all interfaces (needed when using an
external load balancer like Amazon ELB or Google Platform Load Balancing) use <code>--http-address=&quot;0.0.0.0:4180&quot;</code> or
<code>--http-address=&quot;http://:4180&quot;</code>.</p><p>Nginx will listen on port <code>443</code> and handle SSL connections while proxying to <code>oauth2-proxy</code> on port <code>4180</code>.
<code>oauth2-proxy</code> will then authenticate requests for an upstream application. The external endpoint for this example
would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx config follows. Note the use of <code>Strict-Transport-Security</code> header to pin requests to SSL
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
<script src="/oauth2-proxy/runtime~main.9d9b6207.js"></script>
<script src="/oauth2-proxy/main.cbf36231.js"></script>
<script src="/oauth2-proxy/1.f1e55c3c.js"></script>
<script src="/oauth2-proxy/2.aa6394ae.js"></script>
<script src="/oauth2-proxy/48.92c41b73.js"></script>
<script src="/oauth2-proxy/50.68e502a3.js"></script>
<script src="/oauth2-proxy/935f2afb.eb0b0bdd.js"></script>
<script src="/oauth2-proxy/17896441.687011d6.js"></script>
<script src="/oauth2-proxy/585bdad0.ec28c751.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink