search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

Trying a suggested method for multiple upstreams.. #244

Open ChristopherJacob opened 8 years ago

ChristopherJacob commented 8 years ago

I am attempting the method described in another issue response of... nginx port 80/443 -> oauth2_proxy port 4180 -> nginx port 5180 -> various upstreams

I have the nginx listening on 443, and it passes to oauth2_proxy I authenticate and then hit a 404 error back from nginx. it looks like it's trying to get https://my.internal.server/oauth2/callback?state=/&code=4/XXXXXXXXXXXX instead of just hitting https://my.internal.server

in my oauth_proxy config I have... https_address = "127.0.0.1:4180 and

 upstreams = [
     "https:/my.internal.server:5180"
 ]

in my nginx conf I have...

server {
    listen *:443;
    server_name my.internal.server;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass          https://127.0.0.1:4180;
    proxy_read_timeout  90;

    proxy_redirect      https://127.0.0.1 https://my.internal.server;

    }
}

and

server {
    listen       *:5180; 
    server_name  my.internal.server;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_read_timeout  90;

    proxy_redirect      https://10.0.1.37 https://my.internal.server;

    }
}

any ideas?

ploxiln commented 8 years ago

https://my.internal.server/oauth2/callback should be handled by oauth2_proxy (and it's a necessary part of the oauth2 exchange), look in the oauth2_proxy logs to see what it says about it.

You can simplify your oauth2_proxy setup by not using https to connect to it. It's listening only on localhost and nginx is connecting directly to localhost so it's probably fine.

You can simplify your internal port-5180 nginx server block by listening only on localhost (127.0.0.1:5180), in which case it's probably safe to use plain http for that as well (instead of ssl/tls).

It's probably worth mentioning that you didn't include any proxy_pass statement in the nginx port-5180 server block you posted ... presumably your actual test config has it.

Finally, you shouldn't need the proxy_redirect line for oauth2_proxy. It should use the host header it got when constructing Location headers. (And whether you need the proxy_redirect line in the :5180 nginx server block is dependent on the application - if it's decently written, you don't, since you pass the original Host header all the way through.)