colin
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/oauth2-proxy-nginx: lift auth_request to http block 

With this change now all location blocks are protected by oauth2-proxy
and not only /
This commit is contained in:
Sandro Jäckel 2023-12-19 21:00:20 +01:00
parent 3814255973
commit a911604762
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
nixos/modules/services/security/oauth2_proxy_nginx.nix
View File

@ -28,7 +28,8 @@ in
type = types.listOf types.str;
default = [];
description = ''
A list of nginx virtual hosts to put behind the oauth2 proxy
A list of nginx virtual hosts to put behind the oauth2 proxy.
You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
'';
};
};
@ -50,18 +51,27 @@ in
] ++ optional (cfg.virtualHosts != []) {
recommendedProxySettings = true; # needed because duplicate headers
} ++ (map (vhost: {
virtualHosts.${vhost}.locations = {
"/oauth2/auth" = {
proxyPass = cfg.proxy;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
virtualHosts.${vhost} = {
locations = {
"/oauth2/auth" = {
proxyPass = cfg.proxy;
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"@redirectToAuth2ProxyLogin" = {
return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
'';
};
};
"@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
"/".extraConfig = ''
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;