TLS Configuration
There are two recommended configurations.
-
Configure SSL Termination with OAuth2 Proxy by providing a
--tls-cert-file=/path/to/cert.pemand--tls-key-file=/path/to/cert.key.The command line to run
oauth2-proxyin this configuration would look like this:./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--tls-cert-file=/path/to/cert.pem \
--tls-key-file=/path/to/cert.key \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=... -
Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
Because
oauth2-proxylistens on127.0.0.1:4180by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use--http-address="0.0.0.0:4180"or--http-address="http://:4180".Nginx will listen on port
443and handle SSL connections while proxying tooauth2-proxyon port4180.oauth2-proxywill then authenticate requests for an upstream application. The external endpoint for this example would behttps://internal.yourcompany.com/.An example Nginx config follows. Note the use of
Strict-Transport-Securityheader to pin requests to SSL via HSTS:server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}The command line to run
oauth2-proxyin this configuration would look like this:./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...