search

18F / hub

DEPRECATED: Documentation hub for the 18F team
https://github.com/18F/handbook
Other
46 stars 33 forks source link

SSO Not redirecting the URL #595

Closed amlwwalker closed 8 years ago

amlwwalker commented 8 years ago

Hi, I was very happy to come across this... I am trying to configure SSO for multiple subdomains as you do. I am however using an nginx config generator, so all my server blocks are in the same file. I have included the file below, sorry its so long. I have two sub domains I want to protect: internal.example.com and dashboard.example.com. I am using docker to host the oauth2_proxy hence why my IP for the proxy_pass is not localhost.

It works fine for the one domain, but the other domain points to the same place as the first. I.e its not forwarding the connection to the correct end point

So it looks like at some point I am not redirecting the URL correctly? Any help would be greatly appreciated:

#the upstream to direct the oauth2_proxy to the correct web app end point
upstream dashboard.example.com {
            # dashboard
            server 172.17.0.6:9000;
}
# the server handling dashboard.example.com
server {
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    server_name dashboard.example.com;
    proxy_buffering off;
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;

    location = /oauth2/start {
      proxy_pass http://172.17.0.4:4180/oauth2/start?rd=%2F$server_name$arg_rd;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Scheme $scheme;
      proxy_connect_timeout 1;
      proxy_send_timeout 30;
      proxy_read_timeout 30;
    }
    location / {
        proxy_pass http://172.17.0.4:4180/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}
upstream internal.example.com {
            # wiki
            server 172.17.0.5:5000;
}
#the server handling internal.example.com
server {
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    server_name internal.example.com;
    proxy_buffering off;
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;

    location = /oauth2/start {
      proxy_pass http://172.17.0.4:4180/oauth2/start?rd=%2F$server_name$arg_rd;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Scheme $scheme;
      proxy_connect_timeout 1;
      proxy_send_timeout 30;
      proxy_read_timeout 30;
    }
    location / {
        proxy_pass http://172.17.0.4:4180/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

#the server handling the response from google auth
server {
    server_name auth.example.com;
    location = /oauth2/callback {
        proxy_pass http://172.17.0.4:4180;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
    location = /oauth2/start {
        proxy_pass http://172.17.0.4:4180;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
    location "~^/(?<target_host>[^/]+).example.com/(?<remaining_uri>.*)$" {
        rewrite ^ $scheme://$target_host.example.com/$remaining_uri;
    }

    location / {
        deny all;
    }
}

EDIT: More explanation:

dashboard.example.com goes to internal.example.com. I.e they both go to 172.17.0.5:5000 even though all the headers say the correct thing (dashboard or internal)