mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
Merge pull request #273234 from SuperSandro2000/oauth2-proxy-nginx
nixos/oauth2_proxy_nginx: allow placing the login page itself under a separate domain
This commit is contained in:
commit
76e86c46b2
|
@ -13,6 +13,17 @@ in
|
||||||
The address of the reverse proxy endpoint for oauth2_proxy
|
The address of the reverse proxy endpoint for oauth2_proxy
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The domain under which the oauth2_proxy will be accesible and the path of cookies are set to.
|
||||||
|
This setting must be set to ensure back-redirects are working properly
|
||||||
|
if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain`
|
||||||
|
or multiple {option}`services.oauth2_proxy.nginx.virtualHosts` that are not on the same domain.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
virtualHosts = mkOption {
|
virtualHosts = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -21,22 +32,26 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
|
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge
|
|
||||||
((optional (cfg.virtualHosts != []) {
|
config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2_proxy.enable) (mkMerge ([
|
||||||
recommendedProxySettings = true; # needed because duplicate headers
|
{
|
||||||
}) ++ (map (vhost: {
|
virtualHosts.${cfg.domain}.locations."/oauth2/" = {
|
||||||
virtualHosts.${vhost} = {
|
|
||||||
locations."/oauth2/" = {
|
|
||||||
proxyPass = cfg.proxy;
|
proxyPass = cfg.proxy;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header X-Scheme $scheme;
|
proxy_set_header X-Scheme $scheme;
|
||||||
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
locations."/oauth2/auth" = {
|
}
|
||||||
|
] ++ optional (cfg.virtualHosts != []) {
|
||||||
|
recommendedProxySettings = true; # needed because duplicate headers
|
||||||
|
} ++ (map (vhost: {
|
||||||
|
virtualHosts.${vhost}.locations = {
|
||||||
|
"/oauth2/auth" = {
|
||||||
proxyPass = cfg.proxy;
|
proxyPass = cfg.proxy;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header X-Scheme $scheme;
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
@ -45,9 +60,10 @@ in
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
locations."/".extraConfig = ''
|
"@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
|
||||||
|
"/".extraConfig = ''
|
||||||
auth_request /oauth2/auth;
|
auth_request /oauth2/auth;
|
||||||
error_page 401 = /oauth2/sign_in;
|
error_page 401 = @redirectToAuth2ProxyLogin;
|
||||||
|
|
||||||
# pass information via X-User and X-Email headers to backend,
|
# pass information via X-User and X-Email headers to backend,
|
||||||
# requires running with --set-xauthrequest flag
|
# requires running with --set-xauthrequest flag
|
||||||
|
@ -60,7 +76,6 @@ in
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
}) cfg.virtualHosts)));
|
}) cfg.virtualHosts)));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue