├── .travis.yml ├── Dockerfile ├── LICENSE.md ├── Makefile ├── README.md ├── examples ├── azure │ └── docker-compose.yml ├── google │ └── docker-compose.yml └── nginx │ ├── Dockerfile │ ├── configs │ ├── nginx.conf │ └── sites-enabled │ │ └── default │ └── demo │ └── index.html └── tests └── run_test.sh /.travis.yml: -------------------------------------------------------------------------------- 1 | # Following the documentation for Docker usage here: 2 | # https://docs.travis-ci.com/user/docker/ 3 | sudo: required 4 | 5 | services: 6 | - docker 7 | 8 | addons: 9 | apt: 10 | packages: 11 | - docker-ce 12 | 13 | env: 14 | global: 15 | - DOCKER_COMPOSE_VERSION=1.20.1 16 | - DOCKER_COMPOSE_FILE="examples/google/docker-compose.yml" 17 | 18 | before_install: 19 | - sudo rm /usr/local/bin/docker-compose 20 | - curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose 21 | - chmod +x docker-compose 22 | - sudo mv docker-compose /usr/local/bin 23 | 24 | before_script: 25 | # Build and start the server 26 | - docker-compose -f "$DOCKER_COMPOSE_FILE" up --build -d 27 | 28 | script: 29 | - make test 30 | 31 | after_script: 32 | - docker-compose -f "$DOCKER_COMPOSE_FILE" down 33 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.8 2 | LABEL maintainer="Andrew Huynh " 3 | 4 | # When this Dockerfile was last refreshed (year/month/day) 5 | ENV REFRESHED_AT 2018-07-25 6 | 7 | # Install CA certificates 8 | RUN apk add --no-cache --virtual=build-dependencies ca-certificates 9 | 10 | ENV OAUTH2_PROXY_VERSION 2.2 11 | 12 | # Checkout bitly's latest google-auth-proxy code from Github 13 | RUN wget https://github.com/bitly/oauth2_proxy/releases/download/v2.2/oauth2_proxy-2.2.0.linux-amd64.go1.8.1.tar.gz -O /tmp/oauth2_proxy.tar.gz \ 14 | && tar -xf /tmp/oauth2_proxy.tar.gz -C ./bin --strip-components=1 \ 15 | && rm /tmp/*.tar.gz 16 | 17 | # Expose the ports we need and setup the ENTRYPOINT w/ the default argument 18 | # to be pass in. 19 | EXPOSE 8080 4180 20 | ENTRYPOINT [ "./bin/oauth2_proxy" ] 21 | CMD [ "--upstream=http://0.0.0.0:8080/", "--http-address=0.0.0.0:4180" ] 22 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Andrew Huynh 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build clean 2 | IMG_NAME=a5huynh/oauth2_proxy 3 | 4 | build: 5 | docker build -t $(IMG_NAME) . 6 | 7 | clean: 8 | docker rmi $(IMG_NAME) 9 | 10 | test: 11 | ./tests/run_test.sh -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status](https://travis-ci.org/a5huynh/oauth2_proxy.svg?branch=master)](https://travis-ci.org/a5huynh/oauth2_proxy) [![license: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) 2 | 3 | ## Official fork for `bitly/oauth2_proxy` 4 | FYI for those coming here, as of 03/2019 the bitly project is no longer getting updated and has been 5 | officially forked to a new project: https://github.com/pusher/oauth2_proxy 6 | 7 | This new project has been getting updates and has it's own Docker image. If you're interested in 8 | using the latest and greatest, please check them out! Otherwise this repo + Docker image will stay 9 | as is 🙂. 10 | 11 | ## oauth2_proxy dockerization 12 | 13 | This is a Dockerization of the handy dandy 14 | [bitly OAuth Proxy](https://github.com/bitly/oauth2_proxy). 15 | 16 | Check out the bitly github page for more details on the different command line 17 | options that can be passed in. 18 | 19 | This is also an automated 20 | [Docker Hub build](https://hub.docker.com/r/a5huynh/oauth2_proxy/) 21 | 22 | ### Supported tags and respective `Dockerfile` links 23 | * `2.2-debian` ([Dockerfile](https://github.com/a5huynh/oauth2_proxy/blob/cb657302b1a433e654a6cd97e30aa0c0dee8075c/Dockerfile)) 24 | * `2.2` ([Dockerfile](https://github.com/a5huynh/oauth2_proxy/blob/5c18f223851745d3132faf64cab6ea9bb056fe7f/Dockerfile)) 25 | * `2.1` ([Dockerfile](https://github.com/a5huynh/oauth2_proxy/blob/77b5f5afb919bb9d7983f901504987c9aaf2dfb9/Dockerfile)) 26 | 27 | ### Quickstart with Docker Compose 28 | First, configure your client secret/id/cookie secret in the `docker-compose.yml` file 29 | and replace all references to `example.com` with your domain. 30 | 31 | Then simply run: 32 | 33 | docker-compose up 34 | 35 | The container will be built and an nginx proxy automatically configure to 36 | connect to the oauth2 proxy. Navigate to http://localhost:4180/ping to check 37 | out whether the proxy is up and running. 38 | 39 | You will be asked to authenticated and if successful, redirected to the upstream 40 | nginx container serving a simple HTML page. 41 | 42 | ### Quickstart without Docker Compose 43 | 44 | The following example assumes you have your upstream host located at `upstream:80` 45 | 46 | docker run -P a5huynh/oauth2_proxy \ 47 | --cookie-secure=false \ 48 | --upstream="http://upstream:80" \ 49 | --http-address="0.0.0.0:4180" \ 50 | --redirect-url="http://example.com/oauth2/callback" \ 51 | --email-domain="example.com" \ 52 | --cookie-secret= \ 53 | --client-id= \ 54 | --client-secret= 55 | 56 | ## Configuration 57 | By default I set the upstream and http-address to the following: 58 | 59 | --upstream=http://0.0.0.0:8080/ 60 | --http-address=0.0.0.0:4180 61 | 62 | This allows us to easily configure our upstream or nginx proxy to those addresses. 63 | 64 | ### Environment Variables 65 | Alternatively you can set the cookie-secret, client-id, and/or client-secret as 66 | environment variables using the following variables below: 67 | 68 | OAUTH2_PROXY_COOKIE_SECRET # The seed string for secure cookies 69 | OAUTH2_PROXY_CLIENT_ID # The Google OAuth Client ID 70 | OAUTH2_PROXY_CLIENT_SECRET # The Google OAuth Client Secret 71 | 72 | ### Example Usage w/ environment variables 73 | docker run -e OAUTH2_PROXY_COOKIE_SECRET= \ 74 | -e OAUTH2_PROXY_CLIENT_ID= \ 75 | -e OAUTH2_PROXY_CLIENT_SECRET= \ 76 | a5huynh/oauth2_proxy 77 | -------------------------------------------------------------------------------- /examples/azure/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | # Description of Containers: 5 | # 6 | # authproxy This is the oauth2_proxy container 7 | # upstream This is the upstream app that is protected by the oauth2_proxy 8 | # 9 | 10 | # Azure OAuth Proxy 11 | authproxy: 12 | build: ../.. 13 | networks: 14 | demo-net: 15 | ports: 16 | - "4180:4180" 17 | command: [ 18 | "--provider=azure", 19 | "--cookie-secure=false", 20 | "--upstream=http://upstream:80", 21 | "--http-address=0.0.0.0:4180", 22 | "--redirect-url=http://localhost/oauth2/callback", 23 | "--email-domain=", 24 | "--azure-tenant=" 25 | ] 26 | environment: 27 | OAUTH2_PROXY_COOKIE_SECRET: totally-secret-key 28 | OAUTH2_PROXY_COOKIE_DOMAIN: localhost 29 | OAUTH2_PROXY_CLIENT_ID: 30 | OAUTH2_PROXY_CLIENT_SECRET: 31 | 32 | # NGINX example app 33 | upstream: 34 | build: ../nginx 35 | networks: 36 | demo-net: 37 | ports: 38 | - "80:80" 39 | 40 | networks: 41 | demo-net: 42 | 43 | # vim: sw=2 sts=2 et 44 | -------------------------------------------------------------------------------- /examples/google/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | # Description of Containers: 5 | # 6 | # authproxy This is the oauth2_proxy container 7 | # upstream This is the upstream app that is protected by the oauth2_proxy 8 | # 9 | 10 | # Google OAuth Proxy 11 | authproxy: 12 | build: ../.. 13 | networks: 14 | demo-net: 15 | ports: 16 | - "4180:4180" 17 | command: --cookie-secure=false --upstream="http://upstream:80" --http-address="0.0.0.0:4180" --redirect-url="http://docker.example.com/oauth2/callback" --email-domain="example.com" 18 | environment: 19 | OAUTH2_PROXY_COOKIE_SECRET: totally-secret-key 20 | OAUTH2_PROXY_COOKIE_DOMAIN: docker.example.com 21 | OAUTH2_PROXY_CLIENT_ID: client_id 22 | OAUTH2_PROXY_CLIENT_SECRET: client_secret 23 | 24 | # NGINX example app 25 | upstream: 26 | build: ../nginx 27 | networks: 28 | demo-net: 29 | ports: 30 | - "8888:80" 31 | depends_on: 32 | - authproxy 33 | 34 | networks: 35 | demo-net: 36 | 37 | # vim: sw=2 sts=2 et 38 | -------------------------------------------------------------------------------- /examples/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:1.12 2 | 3 | COPY "configs" "/etc/nginx" 4 | COPY "demo" "/opt/webapp" 5 | -------------------------------------------------------------------------------- /examples/nginx/configs/nginx.conf: -------------------------------------------------------------------------------- 1 | events { 2 | worker_connections 768; 3 | } 4 | 5 | http { 6 | 7 | sendfile on; 8 | tcp_nopush on; 9 | tcp_nodelay on; 10 | keepalive_timeout 65; 11 | types_hash_max_size 2048; 12 | 13 | include /etc/nginx/mime.types; 14 | default_type application/octet-stream; 15 | 16 | access_log /dev/stdout; 17 | error_log /dev/stdout; 18 | 19 | # Increase POST body size 20 | client_max_body_size 100M; 21 | 22 | # Include additional configuration files 23 | include /etc/nginx/sites-enabled/*; 24 | } 25 | 26 | # vim: sw=4 sts=4 et ft=nginx 27 | -------------------------------------------------------------------------------- /examples/nginx/configs/sites-enabled/default: -------------------------------------------------------------------------------- 1 | upstream oauth2 { 2 | # !!! NOT PRODUCTION SAFE !!! 3 | # There is a bug here -- nginx only resolves DNS once on startup. If the 4 | # container moves after nginx starts, the traffic will no longer forward 5 | # correctly. 6 | server authproxy:4180; 7 | } 8 | 9 | server { 10 | listen 80; 11 | 12 | location /oauth2 { 13 | proxy_pass http://oauth2; 14 | 15 | proxy_set_header Host $host; 16 | proxy_set_header X-Real-IP $remote_addr; 17 | proxy_set_header X-Scheme $scheme; 18 | proxy_set_header X-Auth-Request-Redirect $request_uri; 19 | } 20 | 21 | location = /oauth2/auth { 22 | proxy_pass http://oauth2; 23 | 24 | proxy_set_header Host $host; 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Scheme $scheme; 27 | # nginx auth_request includes headers but not body 28 | proxy_set_header Content-Length ""; 29 | proxy_pass_request_body off; 30 | } 31 | 32 | location / { 33 | auth_request /oauth2/auth; 34 | error_page 401 = /oauth2/sign_in; 35 | 36 | # pass information via X-User and X-Email headers to backend, 37 | # requires running with --set-xauthrequest flag 38 | auth_request_set $user $upstream_http_x_auth_request_user; 39 | auth_request_set $email $upstream_http_x_auth_request_email; 40 | proxy_set_header X-User $user; 41 | proxy_set_header X-Email $email; 42 | 43 | # if you enabled --cookie-refresh, this is needed for it to work with auth_request 44 | auth_request_set $auth_cookie $upstream_http_set_cookie; 45 | add_header Set-Cookie $auth_cookie; 46 | 47 | root /opt/webapp; 48 | } 49 | } 50 | 51 | # vim: sw=4 sts=4 et ft=nginx 52 | -------------------------------------------------------------------------------- /examples/nginx/demo/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Authorization Successful! 5 | 6 | 7 |

Success!

8 |

Able to authenticate successfully!

9 | 10 | 11 | -------------------------------------------------------------------------------- /tests/run_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | response=$(curl --write-out %{http_code} --silent --output /dev/null localhost:4180/ping) 5 | expected="200" 6 | 7 | echo "Expecting: $expected" 8 | echo "Server says: $response" 9 | 10 | if [ "$expected" != "$response" ]; then 11 | echo "Test failed!" 12 | exit 1 13 | else 14 | echo "Test passed!" 15 | exit 0 16 | fi --------------------------------------------------------------------------------