TLS Configuration
There are two recommended configurations:
Terminate TLS at OAuth2 Proxy
-
Configure SSL Termination with OAuth2 Proxy by providing a
--tls-cert-file=/path/to/cert.pem
and--tls-key-file=/path/to/cert.key
.The command line to run
oauth2-proxy
in this configuration would look like this:./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--tls-cert-file=/path/to/cert.pem \
--tls-key-file=/path/to/cert.key \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=... -
With this configuration approach the customization of the TLS settings is limited.
The minimal acceptable TLS version can be set with
--tls-min-version=TLS1.3
. The defaults setTLS1.2
as the minimal version. Regardless of the minimum version configured,TLS1.3
is currently always used as the maximal version.The server side cipher suites are the defaults from
crypto/tls
of the currently usedgo
version for buildingoauth2-proxy
.
Terminate TLS at Reverse Proxy, e.g. Nginx
-
Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...
Because
oauth2-proxy
listens on127.0.0.1:4180
by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use--http-address="0.0.0.0:4180"
or--http-address="http://:4180"
.Nginx will listen on port
443
and handle SSL connections while proxying tooauth2-proxy
on port4180
.oauth2-proxy
will then authenticate requests for an upstream application. The external endpoint for this example would behttps://internal.yourcompany.com/
.An example Nginx config follows. Note the use of
Strict-Transport-Security
header to pin requests to SSL via HSTS:server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
} -
The command line to run
oauth2-proxy
in this configuration would look like this:./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...