Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 9655e1a134ad
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 1bb95d8409aa
Choose a head ref
  • 3 commits
  • 2 files changed
  • 2 contributors

Commits on Jun 29, 2018

  1. oauth2_proxy: add nginx vhost module

    Michishige Kaito committed Jun 29, 2018
    Copy the full SHA
    4a72999 View commit details
  2. fixup! oauth2_proxy: add nginx vhost module

    Michishige Kaito committed Jun 29, 2018
    Copy the full SHA
    2fec848 View commit details

Commits on Jul 5, 2018

  1. Merge pull request #42775 from mkaito/oauth2_proxy-virtualHosts

    oauth2_proxy: add nginx vhost module
    lukateras authored Jul 5, 2018
    Copy the full SHA
    1bb95d8 View commit details
Showing with 65 additions and 0 deletions.
  1. +1 −0 nixos/modules/module-list.nix
  2. +64 −0 nixos/modules/services/security/oauth2_proxy_nginx.nix
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
@@ -627,6 +627,7 @@
./services/security/hologram-agent.nix
./services/security/munge.nix
./services/security/oauth2_proxy.nix
./services/security/oauth2_proxy_nginx.nix
./services/security/physlock.nix
./services/security/shibboleth-sp.nix
./services/security/sks.nix
64 changes: 64 additions & 0 deletions nixos/modules/services/security/oauth2_proxy_nginx.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.oauth2_proxy.nginx;
in
{
options.services.oauth2_proxy.nginx = {
proxy = mkOption {
type = types.string;
default = config.services.oauth2_proxy.httpAddress;
description = ''
The address of the reverse proxy endpoint for oauth2_proxy
'';
};
virtualHosts = mkOption {
type = types.listOf types.string;
default = [];
description = ''
A list of nginx virtual hosts to put behind the oauth2 proxy
'';
};
};
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
enable = true;
};
config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {
recommendedProxySettings = true; # needed because duplicate headers
}) ++ (map (vhost: {
virtualHosts.${vhost} = {
locations."/oauth2/" = {
proxyPass = cfg.proxy;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
'';
};
locations."/oauth2/auth" = {
proxyPass = cfg.proxy;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';

};
}) cfg.virtualHosts));
}