Skip to main content
Version: Next

Systemd Socket Activation

Pass an existing listener created by systemd.socket to oauth2-proxy.

To do this create a socket:

oauth2-proxy.socket

[Socket]
ListenStream=%t/oauth2.sock
SocketGroup=www-data
SocketMode=0660

Now it's possible to call this socket from e.g. nginx:

server {
location /oauth2/ {
proxy_pass http://unix:/run/oauth2-proxy/oauth2.sock;
}

The oauth2-proxy should have --http-address=fd:3 as a parameter. Here fd is case insensitive and means file descriptor. The number 3 refers to the first non-stdin/stdout/stderr file descriptor, systemd-socket-activate (which is what systemd.socket uses), listens to what it is told and passes the listener it created onto the process, starting with file descriptor 3.

./oauth2-proxy \
--http-address="fd:3" \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=...

Currently TLS is not supported (but it's doable).