colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/oauth2_proxy_nginx: allow placing the login page itself under a separate domain

Browse Source 
OIDC provider usually requires a callback URL which can now be set to
one domain when securing multiple virtualHosts under different (sub)domains
This commit is contained in:
Sandro Jäckel 2023-12-09 23:43:09 +01:00
parent 8ba995cb30
commit 75c7e61601
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixos/modules/services/security/oauth2_proxy_nginx.nix
View File

@ -13,6 +13,17 @@ in
The address of the reverse proxy endpoint for oauth2_proxy The address of the reverse proxy endpoint for oauth2_proxy
''; '';
}; };
domain = mkOption {
type = types.str;
description = lib.mdDoc ''
The domain under which the oauth2_proxy will be accesible and the path of cookies are set to.
This setting must be set to ensure back-redirects are working properly
if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain`
or multiple {option}`services.oauth2_proxy.nginx.virtualHosts` that are not on the same domain.
'';
};
virtualHosts = mkOption { virtualHosts = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
@ -21,22 +32,26 @@ in
''; '';
}; };
}; };
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
enable = true; enable = true;
}; };
config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge
((optional (cfg.virtualHosts != []) { config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2_proxy.enable) (mkMerge ([
recommendedProxySettings = true; # needed because duplicate headers {
}) ++ (map (vhost: { virtualHosts.${cfg.domain}.locations."/oauth2/" = {
virtualHosts.${vhost} = {
locations."/oauth2/" = {
proxyPass = cfg.proxy; proxyPass = cfg.proxy;
extraConfig = '' extraConfig = ''
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
''; '';
}; };
locations."/oauth2/auth" = { }
] ++ optional (cfg.virtualHosts != []) {
recommendedProxySettings = true; # needed because duplicate headers
} ++ (map (vhost: {
virtualHosts.${vhost}.locations = {
"/oauth2/auth" = {
proxyPass = cfg.proxy; proxyPass = cfg.proxy;
extraConfig = '' extraConfig = ''
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
@ -45,9 +60,10 @@ in
proxy_pass_request_body off; proxy_pass_request_body off;
''; '';
}; };
locations."/".extraConfig = '' "@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
"/".extraConfig = ''
auth_request /oauth2/auth; auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in; error_page 401 = @redirectToAuth2ProxyLogin;
# pass information via X-User and X-Email headers to backend, # pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag # requires running with --set-xauthrequest flag
@ -60,7 +76,6 @@ in
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
''; '';
}; };
}) cfg.virtualHosts))); }) cfg.virtualHosts)));
} }