For OAuth2, the documentation is here: https://pusher.github.io/oauth2_proxy/
You'll need to follow the Auth Configuration part first on the google site. Make a note of your client id and secret.
Next, you need two files in your /appdata/oauth2 folder.
emails.cfg - a file with the allowed authentication emails in, one per line.
[email protected]
[email protected]
oauth2_proxy.cfg - example below seeing as the example in the docs is broken.
## OAuth2 Proxy Config File
## https://github.com/cheesemarathon/oAuth2-Proxy-Docker-Container
## <addr>:<port> to listen on for HTTP/HTTPS clients
http_address = "0.0.0.0:4180"
## the http url(s) of the upstream endpoint. If multiple, routing is based on path
upstreams = [
"http://127.0.0.1:4180/oauth2/login"
]
## Log requests to stdout
request_logging = true
## The OAuth Client ID, Secret
client_id = "CLIENT ID"
client_secret = "CLIENT SECRET"
## Authenticated Email Addresses File (one email per line)
authenticated_emails_file = "/etc/oauth2/emails.cfg"
## Templates
## optional directory with custom sign_in.html and error.html
# custom_templates_dir = "/etc/oauth2/templates/"
## Cookie Settings
## Name - the cookie name
## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes
## for use with an AES cipher when cookie_refresh or pass_access_token
## is set
## Domain - (optional) cookie domain to force cookies to (ie: .yourcompany.com)
## Expire - (duration) expire timeframe for cookie
## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set.
## Should be less than cookie_expire; set to 0 to disable.
## On refresh, OAuth token is re-validated.
## (ie: 1h means tokens are refreshed on request 1hr+ after it was set)
## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended)
## HttpOnly - httponly cookies are not readable by javascript (recommended)
cookie_name = "_oauth2_proxy"
cookie_secret = "COOKIE SECRET"
cookie_domain = "DOMAIN NAME"
cookie_expire = "168h"
cookie_refresh = "1h"
cookie_secure = true
cookie_httponly = true
For cookie_secret, go here: https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx and select 256 bit.
Final part is adding the directives to your nginx. There is information about this at the bottom of the Configuration part of the docs. Here's an example of my netdata subdomain conf using the letsencrypt docker.
# make sure that your dns has a cname set for netdata
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name netdata.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location /oauth2/ {
proxy_pass http://192.168.1.200:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://192.168.1.200:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
}
}
Hope that helps.