oauth2_proxy: add nginx vhost module
This commit is contained in:
parent
e686bd2771
commit
4a72999c75
|
@ -624,6 +624,7 @@
|
||||||
./services/security/hologram-agent.nix
|
./services/security/hologram-agent.nix
|
||||||
./services/security/munge.nix
|
./services/security/munge.nix
|
||||||
./services/security/oauth2_proxy.nix
|
./services/security/oauth2_proxy.nix
|
||||||
|
./services/security/oauth2_proxy_nginx.nix
|
||||||
./services/security/physlock.nix
|
./services/security/physlock.nix
|
||||||
./services/security/shibboleth-sp.nix
|
./services/security/shibboleth-sp.nix
|
||||||
./services/security/sks.nix
|
./services/security/sks.nix
|
||||||
|
|
58
nixos/modules/services/security/oauth2_proxy_nginx.nix
Normal file
58
nixos/modules/services/security/oauth2_proxy_nginx.nix
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.services.oauth2_proxy.nginx;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.oauth2_proxy.nginx = {
|
||||||
|
proxy = mkOption {
|
||||||
|
type = types.string;
|
||||||
|
default = config.services.oauth2_proxy.httpAddress;
|
||||||
|
};
|
||||||
|
virtualHosts = mkOption {
|
||||||
|
type = types.listOf types.string;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {
|
||||||
|
recommendedProxySettings = true; # needed because duplicate headers
|
||||||
|
}) ++ (map (vhost: {
|
||||||
|
virtualHosts.${vhost} = {
|
||||||
|
locations."/oauth2/" = {
|
||||||
|
proxyPass = cfg.proxy;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."/oauth2/auth" = {
|
||||||
|
proxyPass = cfg.proxy;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
# nginx auth_request includes headers but not body
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
auth_request /oauth2/auth;
|
||||||
|
error_page 401 = /oauth2/sign_in;
|
||||||
|
|
||||||
|
# pass information via X-User and X-Email headers to backend,
|
||||||
|
# requires running with --set-xauthrequest flag
|
||||||
|
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||||
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||||
|
proxy_set_header X-User $user;
|
||||||
|
proxy_set_header X-Email $email;
|
||||||
|
|
||||||
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
}) cfg.virtualHosts));
|
||||||
|
}
|
Loading…
Reference in a new issue