oauth2-proxy/assets/js/00691219.aa22e2bc.js


			
				
					
						
						
						
							
							
							"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[5322],{3905:function(e,t,n){n.d(t,{Zo:function(){return u},kt:function(){return f}});var r=n(7294);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function i(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){o(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function p(e,t){if(null==e)return{};var n,r,o=function(e,t){if(null==e)return{};var n,r,o={},a=Object.keys(e);for(r=0;r<a.length;r++)n=a[r],t.indexOf(n)>=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(r=0;r<a.length;r++)n=a[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=r.createContext({}),c=function(e){var t=r.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):i(i({},t),e)),n},u=function(e){var t=c(e.components);return r.createElement(l.Provider,{value:t},e.children)},s="mdxType",m={inlineCode:"code",wrapper:function(e){var t=e.children;return r.createElement(r.Fragment,{},t)}},d=r.forwardRef((function(e,t){var n=e.components,o=e.mdxType,a=e.originalType,l=e.parentName,u=p(e,["components","mdxType","originalType","parentName"]),s=c(n),d=o,f=s["".concat(l,".").concat(d)]||s[d]||m[d]||a;return n?r.createElement(f,i(i({ref:t},u),{},{components:n})):r.createElement(f,i({ref:t},u))}));function f(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var a=n.length,i=new Array(a);i[0]=d;var p={};for(var l in t)hasOwnProperty.call(t,l)&&(p[l]=t[l]);p.originalType=e,p[s]="string"==typeof e?e:o,i[1]=p;for(var c=2;c<a;c++)i[c]=n[c];return r.createElement.apply(null,i)}return r.createElement.apply(null,n)}d.displayName="MDXCreateElement"},2353:function(e,t,n){n.r(t),n.d(t,{assets:function(){return u},contentTitle:function(){return l},default:function(){return f},frontMatter:function(){return p},metadata:function(){return c},toc:function(){return s}});var r=n(7462),o=n(3366),a=(n(7294),n(3905)),i=["components"],p={id:"tls",title:"TLS Configuration"},l=void 0,c={unversionedId:"configuration/tls",id:"version-7.0.x/configuration/tls",title:"TLS Configuration",description:"There are two recommended configurations.",source:"@site/versioned_docs/version-7.0.x/configuration/tls.md",sourceDirName:"configuration",slug:"/configuration/tls",permalink:"/oauth2-proxy/docs/7.0.x/configuration/tls",draft:!1,editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/tls.md",tags:[],version:"7.0.x",frontMatter:{id:"tls",title:"TLS Configuration"},sidebar:"version-7.0.x/docs",previous:{title:"Session Storage",permalink:"/oauth2-proxy/docs/7.0.x/configuration/session_storage"},next:{title:"Alpha Configuration",permalink:"/oauth2-proxy/docs/7.0.x/configuration/alpha-config"}},u={},s=[],m={toc:s},d="wrapper";function f(e){var t=e.components,n=(0,o.Z)(e,i);return(0,a.kt)(d,(0,r.Z)({},m,n,{components:t,mdxType:"MDXLayout"}),(0,a.kt)("p",null,"There are two recommended configurations."),(0,a.kt)("ol",null,(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Configure SSL Termination with OAuth2 Proxy by providing a ",(0,a.kt)("inlineCode",{parentName:"p"},"--tls-cert-file=/path/to/cert.pem")," and ",(0,a.kt)("inlineCode",{parentName:"p"},"--tls-key-file=/path/to/cert.key"),"."),(0,a.kt)("p",{parentName:"li"},"The command line to run ",(0,a.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," in this configuration would look like this:"),(0,a.kt)("pre",{parentName:"li"},(0,a.kt)("code",{parentName:"pre",className:"language-bash"},'./oauth2-proxy \\\n    --email-domain="yourcompany.com"  \\\n    --upstream=http://127.0.0.1:8080/ \\\n    --tls-cert-file=/path/to/cert.pem \\\n    --tls-key-file=/path/to/cert.key \\\n    --cookie-secret=... \\\n    --cookie-secure=true \\\n    --provider=... \\\n    --client-id=... \\\n    --client-secret=...\n'))),(0,a.kt)("li",{parentName:"ol"},(0,a.kt)("p",{parentName:"li"},"Configure SSL Termination with ",(0,a.kt)("a",{parentName:"p",href:"http://nginx.org/"},"Nginx")," (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...."),(0,a.kt)("p",{parentName:"li"},"Because ",(0,a.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," listens on ",(0,a.kt)("inlineCode",{parentName:"p"},"127.0.0.1:4180")," by default, to listen on all interfaces (needed when using an\nexternal load balancer like Amazon ELB or Google Platform Load Balancing) use ",(0,a.kt)("inlineCode",{parentName:"p"},'--http-address="0.0.0.0:4180"')," or\n",(0,a.kt)("inlineCode",{parentName:"p"},'--http-address="http://:4180"'),"."),(0,a.kt)("p",{parentName:"li"},"Nginx will listen on port ",(0,a.kt)("inlineCode",{parentName:"p"},"443")," and handle SSL connections while proxying to ",(0,a.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," on port ",(0,a.kt)("inlineCode",{parentName:"p"},"4180"),".\n",(0,a.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," will then authenticate requests for an upstream application. The external endpoint for this example\nwould be ",(0,a.kt)("inlineCode",{parentName:"p"},"https://internal.yourcompany.com/"),"."),(0,a.kt)("p",{parentName:"li"},"An example Nginx config follows. Note the use of ",(0,a.kt)("inlineCode",{parentName:"p"},"Strict-Transport-Security")," header to pin requests to SSL\nvia ",(0,a.kt)("a",{parentName:"p",href:"http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"},"HSTS"),":"),(0,a.kt)("pre",{parentName:"li"},(0,a.kt)("code",{parentName:"pre"},"server {\n    listen 443 default ssl;\n    server_name internal.yourcompany.com;\n    ssl_certificate /path/to/cert.pem;\n    ssl_certificate_key /path/to/cert.key;\n    add_header Strict-Transport-Security max-age=2592000;\n\n    location / {\n        proxy_pass http://127.0.0.1:4180;\n        proxy_set_header Host $host;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Scheme $scheme;\n        proxy_connect_timeout 1;\n        proxy_send_timeout 30;\n        proxy_read_timeout 30;\n    }\n}\n")),(0,a.kt)("p",{parentName:"li"},"The command line to run ",(0,a.kt)("inlineCode",{parentName:"p"},"oauth2-proxy")," in this configuration would look like this:"),(0,a.kt)("pre",{parentName:"li"},(0,a.kt)("code",{parentName:"pre",className:"language-bash"},'./oauth2-proxy \\\n   --email-domain="yourcompany.com"  \\\n   --upstream=http://127.0.0.1:8080/ \\\n   --cookie-secret=... \\\n   --cookie-secure=true \\\n   --provider=... \\\n   --reverse-proxy=true \\\n   --client-id=... \\\n   --client-secret=...\n')))))}f.isMDXComponent=!0}}]);
						
						
					
				
				
					
						Reference in New Issue
					
					View Git Blame
					Copy Permalink