You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v1.1.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
21
-
2. Register an OAuth Application with a Provider
22
-
3. Configure Oauth2 Proxy using config file, command line options, or environment variables
23
-
4. Deploy behind a SSL endpoint (example provided for Nginx)
21
+
2.Select a Provider and Register an OAuth Application with a Provider
22
+
3. Configure OAuth2 Proxy using config file, command line options, or environment variables
23
+
4.Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
24
24
25
25
## OAuth Provider Configuration
26
26
@@ -76,6 +76,10 @@ For LinkedIn, the registration steps are:
76
76
77
77
The [MyUSA](https://alpha.my.usa.gov) authentication service ([GitHub](https://github.com/18F/myusa))
78
78
79
+
## Email Authentication
80
+
81
+
To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresse use `--email-domain=*`.
82
+
79
83
## Configuration
80
84
81
85
`oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
@@ -107,18 +111,21 @@ Usage of oauth2_proxy:
107
111
-github-team="": restrict logins to members of this team
108
112
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
109
113
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
114
+
-https-address=":443": <addr>:<port> to listen on for HTTPS clients
110
115
-login-url="": Authentication endpoint
111
116
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
112
117
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
113
118
-pass-host-header=true: pass the request Host Header to upstream
114
119
-profile-url="": Profile access endpoint
115
-
-provider="": Oauth provider (defaults to Google)
120
+
-provider="google": OAuth provider
116
121
-proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)
117
122
-redeem-url="": Token redemption endpoint
118
123
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
119
124
-request-logging=true: Log requests to stdout
120
125
-scope="": Oauth scope specification
121
126
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
127
+
-tls-cert="": path to certificate file
128
+
-tls-key="": path to private key file
122
129
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
@@ -130,10 +137,32 @@ See below for provider specific options
130
137
131
138
The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
132
139
133
-
### Example Nginx Configuration
140
+
## SSL Configuration
141
+
142
+
There are two recommended configurations.
143
+
144
+
1) Configure SSL Terminiation with OAuth2 Proxy by providing a `--tls-cert=/path/to/cert.pem` and `--tls-key=/path/to/cert.key`.
145
+
146
+
The command line to run `oauth2_proxy` in this configuration would look like this:
147
+
148
+
```bash
149
+
./oauth2_proxy \
150
+
--email-domain="yourcompany.com" \
151
+
--upstream=http://127.0.0.1:8080/ \
152
+
--tls-cert=/path/to/cert.pem \
153
+
--tls-key=/path/to/cert.key \
154
+
--cookie-secret=... \
155
+
--cookie-secure=true \
156
+
--provider=... \
157
+
--client-id=... \
158
+
--client-secret=...
159
+
```
160
+
161
+
162
+
2) Configure SSL Termination with [Nginx](http://nginx.org/) (example config below) or Amazon ELB, or ....
134
163
135
-
This example has a [Nginx](http://nginx.org/)SSL endpoint proxying to `oauth2_proxy` on port `4180`.
136
-
`oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external
164
+
Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`.
165
+
`oauth2_proxy`which will then authenticate requests for an upstream application. The external
137
166
endpoint for this example would be `https://internal.yourcompany.com/`.
138
167
139
168
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
@@ -159,22 +188,23 @@ server {
159
188
}
160
189
```
161
190
162
-
The command line to run `oauth2_proxy` would look like this:
191
+
The command line to run `oauth2_proxy`in this configuration would look like this:
163
192
164
193
```bash
165
194
./oauth2_proxy \
166
195
--email-domain="yourcompany.com" \
167
196
--upstream=http://127.0.0.1:8080/ \
168
197
--cookie-secret=... \
169
198
--cookie-secure=true \
199
+
--provider=... \
170
200
--client-id=... \
171
201
--client-secret=...
172
202
```
173
203
174
204
175
205
## Endpoint Documentation
176
206
177
-
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
207
+
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
178
208
179
209
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
0 commit comments