Nic*_*ick 8 proxy nginx oauth-2.0
我正在尝试使用 Oauth2-proxy 作为通过 Google 身份验证访问我的网站的网关。出现 Oauth 登录页面,您可以单击“登录”,这会将您带到 Google 登录页面,但登录后会直接重定向回 Oauth 登录页面。我怀疑这与cookie有关,但我不知道我哪里出错了。
NGINX 配置:
server {
listen 443;
server_name my.website.com;
ssl on;
ssl_certificate /etc/ssl/my.website.com.pem;
ssl_certificate_key /etc/ssl/my.website.com.key;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
# limit and so the OAuth2 Proxy splits these into multiple parts.
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the respon$
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
# Extract the Cookie attributes from the first Set-Cookie header and append them
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
if ($auth_cookie ~* "(; .*)") {
set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
# Send both Set-Cookie headers now if there was a second part
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:8888"; # This is where my web server is hosted
}
}
Oauth2-代理配置:
cookie_secret="" # Filled in with a base64 string
provider="google"
email_domains="*"
client_secret="" # Filled in with Google auth client secret
client_id="" # Filled in with Google auth client ID
cookie_secure="false" # No idea what to set this as, tried both false and true, same result
redirect_url="https://my.website.com/oauth2/auth/"
upstreams="http://127.0.0.1:8888/" # My website server
Oauth2-proxy启动命令:
~/oauth2-proxy-v6.1.1.linux-amd64/oauth2-proxy --config=/home/username/work/src/github.com/oauth2-proxy/oauth2-proxy/contrib/local-environment/oauth2-proxy.cfg
任何想法将不胜感激!
我接受的答案是正确的,但我还必须进行一些 cookie 更改,并认为我应该发布我的最终工作代码。
我能够让它与这些更改一起工作:
在下面location /oauth2/:
proxy_set_header X-Auth-Request-Redirect "https://my.website.com";
在下面location /:
auth_request_set $auth_cookie $upstream_http_set_cookie;
在 Oauth2-proxy 配置中(附加或替换行):
redirect_url = "https://my.website.com/oauth2/callback"
set_xauthrequest = true
upstreams = ["file:///dev/null"]
cookie_domains = [".website.com"]
cookie_secure = false
cookie_samesite = "lax"
编辑:配置文件的最终内容:
NGINX 配置:
server {
listen 443;
server_name my.website.com;
ssl on;
ssl_certificate /etc/ssl/my.website.com.pem;
ssl_certificate_key /etc/ssl/my.website.com.key;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect "https://my.website.com";
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
if ($auth_cookie ~* "(; .*)") {
set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:8888"; # This is where my web server is hosted
}
}
Oauth2-代理配置:
cookie_secret="" # Filled in with a base64 string
provider="google"
email_domains="*"
client_secret="" # Filled in with Google auth client secret
client_id="" # Filled in with Google auth client ID
cookie_domains=[".website.com"]
cookie_secure="false"
cookie_samesite="lax"
redirect_url="https://my.website.com/oauth2/callback"
upstreams="http://127.0.0.1:8888/" # My website server
set_xauthrequest=true
upstreams=["file:///dev/null"]