From b2641e21ebd26821020271ead779c310b3bcd6d5 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Thu, 7 May 2020 22:59:43 +0100 Subject: [PATCH] Add nginx test environment to demonstrate protecting multiple subdomains --- contrib/local-environment/Makefile | 8 +++ contrib/local-environment/dex.yaml | 3 +- .../docker-compose-nginx.yaml | 26 ++++++++ contrib/local-environment/nginx.conf | 63 +++++++++++++++++++ .../local-environment/oauth2-proxy-nginx.cfg | 12 ++++ contrib/local-environment/oauth2-proxy.cfg | 3 +- 6 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 contrib/local-environment/docker-compose-nginx.yaml create mode 100644 contrib/local-environment/nginx.conf create mode 100644 contrib/local-environment/oauth2-proxy-nginx.cfg diff --git a/contrib/local-environment/Makefile b/contrib/local-environment/Makefile index 3b26b68dce..0cfeaa6630 100644 --- a/contrib/local-environment/Makefile +++ b/contrib/local-environment/Makefile @@ -5,3 +5,11 @@ up: .PHONY: % %: docker-compose $* + +.PHONY: nginx-up +nginx-up: + docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d + +.PHONY: nginx-% +nginx-%: + docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $* diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml index 3494630440..2b0fe8e21e 100644 --- a/contrib/local-environment/dex.yaml +++ b/contrib/local-environment/dex.yaml @@ -18,7 +18,8 @@ expiry: staticClients: - id: oauth2-proxy redirectURIs: - - 'http://localhost:4180/oauth2/callback' + - 'http://localhost:4180/oauth2/callback' # For basic proxy example + - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example name: 'OAuth2 Proxy' secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK enablePasswordDB: true diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml new file mode 100644 index 0000000000..040c19cc74 --- /dev/null +++ b/contrib/local-environment/docker-compose-nginx.yaml @@ -0,0 +1,26 @@ +# This docker-compose file can be used to bring up an example instance of oauth2-proxy +# for manual testing and exploration of features. +# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider, +# etcd for storage for Dex, nginx as a reverse proxy and other http services for upstreams +version: '3.0' +services: + oauth2-proxy: + ports: [] + hostname: oauth2-proxy + volumes: + - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg" + networks: + oauth2-proxy: {} + nginx: + container_name: nginx + image: nginx:1.18 + ports: + - 80:80/tcp + hostname: nginx + volumes: + - "./nginx.conf:/etc/nginx/conf.d/default.conf" + networks: + oauth2-proxy: {} + httpbin: {} +networks: + oauth2-proxy: {} diff --git a/contrib/local-environment/nginx.conf b/contrib/local-environment/nginx.conf new file mode 100644 index 0000000000..7a6d4f4277 --- /dev/null +++ b/contrib/local-environment/nginx.conf @@ -0,0 +1,63 @@ +# Reverse proxy to oauth2-proxy +server { + listen 80; + server_name oauth2-proxy.oauth2-proxy.localhost; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://oauth2-proxy:4180/; + } +} + +# Reverse proxy to httpbin +server { + listen 80; + server_name httpbin.oauth2-proxy.localhost; + + auth_request /internal-auth/oauth2/auth; + error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri; + + location / { + proxy_pass http://httpbin/; + } + + location /internal-auth/ { + internal; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://oauth2-proxy:4180/; + } +} + +# Statically serve the nginx welcome +server { + listen 80; + server_name oauth2-proxy.localhost; + + location / { + auth_request /internal-auth/oauth2/auth; + error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri; + + root /usr/share/nginx/html; + index index.html index.htm; + } + + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + location /internal-auth/ { + internal; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://oauth2-proxy:4180/; + } +} diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg new file mode 100644 index 0000000000..3face2d482 --- /dev/null +++ b/contrib/local-environment/oauth2-proxy-nginx.cfg @@ -0,0 +1,12 @@ +http_address="0.0.0.0:4180" +cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" +provider="oidc" +email_domains="example.com" +oidc_issuer_url="http://dex.localhost:4190/dex" +client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK" +client_id="oauth2-proxy" +cookie_secure="false" + +redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" +cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains +whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original targets. diff --git a/contrib/local-environment/oauth2-proxy.cfg b/contrib/local-environment/oauth2-proxy.cfg index beb8c900f4..7ee55d8ff0 100644 --- a/contrib/local-environment/oauth2-proxy.cfg +++ b/contrib/local-environment/oauth2-proxy.cfg @@ -1,5 +1,4 @@ http_address="0.0.0.0:4180" -redirect_url="http://localhost:4180/oauth2/callback" cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" provider="oidc" email_domains="example.com" @@ -7,4 +6,6 @@ oidc_issuer_url="http://dex.localhost:4190/dex" client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK" client_id="oauth2-proxy" cookie_secure="false" + +redirect_url="http://localhost:4180/oauth2/callback" upstreams="http://httpbin"