Skip to content
/ infra-role-oauth-proxy Public

Ansible role for configuring oauth2_proxy Docker container

github.com/pusher/oauth2_proxy
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

status-im/infra-role-oauth-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
defaults
defaults
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
README.md
README.md
 
 

Repository files navigation

Description

This role configures an oauth2_proxy container for GitHub based OAuth.

Configuration

These settings are all mandatory:

oauth_service_name: 'example-oauth'
oauth_service_path: '/docker/example/oauth'
oauth_domain: 'oauth.example.org'
oauth_upstream_port: 4321
oauth_local_port: 1234
oauth_cookie_secret: '123qweASD'
oauth_provider: 'github'
oauth_id: 'some-id'
oauth_secret: 'some-secret'

Some options are optional:

oauth_local_addr: '0.0.0.0'
oauth_cont_volumes: ['/docker/example/www:/www']
oauth_upstream_url: 'file:///www#/'
oauth_cont_networks: ['other-container-network']

Different providers have different mandatory settings.

GitHub

oauth_github_org: 'example-org'
oauth_github_teams: ['devops', 'security']

Google

oauth_google_domain: 'example.org'

Keycloak

oauth_keycloak_url: 'https://keycloak.example.org'
oauth_keycloak_realm: 'example-org'
oauth_keycloak_domain: 'example.org'
oauth_keycloak_groups: ['admins', 'security']
oauth_keycloak_roles: ['admin']
oauth_scope: 'openid'

In order for Keycloak client to work with oauth-proxy, the way to set up the Keycloak client is described here under Keycloak new admin console. Important part is to configure the dedicated audience mapper for your client.

Nested docker Compose

To include the oauth-proxy into another docker compose:

oauth_compose_skip_start: true
oauth_upstream_addr:  'container-webui'

Management

The container is reated using Docker Compose:

admin@host.example.org:/docker/example % dc ps
       Name                Command               State           Ports         
-------------------------------------------------------------------------------
example-oauth   /bin/oauth2-proxy --provid ...   Up      0.0.0.0:9292->9292/tcp

Known issues

Provider: keycloak-oidc, Service: Prometheus UI

The setup is composed out of Nginx proxy in front of OAuth2 proxy container. After logging in, we got 502 Bad Gateway on Nginx proxy. By inspecting Nginx error logs there was this error:

2024/09/13 12:27:40 [error] 1699601#1699601: *28212 upstream sent too big header while reading response header from upstream...

We just had to increase proxy buffer sizes in the Nginx config and everything was working normal:

  proxy_buffering on;
  proxy_buffers 16 256k;
  proxy_buffer_size 128k;

About

Ansible role for configuring oauth2_proxy Docker container

github.com/pusher/oauth2_proxy

Topics

ansible-role infra

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

9 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages