diff options
| author | Yegor Timoshenko <yegortimoshenko@riseup.net> | 2018-07-05 22:15:50 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-07-05 22:15:50 +0300 |
| commit | 1bb95d8409aabcc9ee52045771b7c9109336fc2f (patch) | |
| tree | 2a2e279446a0c401abdee50436e36c4e0a9769d0 /nixos/modules/services/security | |
| parent | 9655e1a134ad492f8664c86514552eb1a6fb6489 (diff) | |
| parent | 2fec848254381ec5b6a1fca6f45f86f370d32643 (diff) | |
| download | nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar.gz nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar.bz2 nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar.lz nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar.xz nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.tar.zst nixlib-1bb95d8409aabcc9ee52045771b7c9109336fc2f.zip | |
Merge pull request #42775 from mkaito/oauth2_proxy-virtualHosts
oauth2_proxy: add nginx vhost module
Diffstat (limited to 'nixos/modules/services/security')
| -rw-r--r-- | nixos/modules/services/security/oauth2_proxy_nginx.nix | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix new file mode 100644 index 000000000000..2aa2c57fd22c --- /dev/null +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -0,0 +1,64 @@ +{ pkgs, config, lib, ... }: +with lib; +let + cfg = config.services.oauth2_proxy.nginx; +in +{ + options.services.oauth2_proxy.nginx = { + proxy = mkOption { + type = types.string; + default = config.services.oauth2_proxy.httpAddress; + description = '' + The address of the reverse proxy endpoint for oauth2_proxy + ''; + }; + virtualHosts = mkOption { + type = types.listOf types.string; + default = []; + description = '' + A list of nginx virtual hosts to put behind the oauth2 proxy + ''; + }; + }; + config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { + enable = true; + }; + config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) { + recommendedProxySettings = true; # needed because duplicate headers + }) ++ (map (vhost: { + virtualHosts.${vhost} = { + locations."/oauth2/" = { + proxyPass = cfg.proxy; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $request_uri; + ''; + }; + locations."/oauth2/auth" = { + proxyPass = cfg.proxy; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + locations."/".extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + + }; + }) cfg.virtualHosts)); +} |