oauth2-proxy icon indicating copy to clipboard operation
oauth2-proxy copied to clipboard

Published 20 hours ago verified publisher icon oauth2-proxy

[Support]: Running into issues with multiple sub-domains on nginx proxy manager

Open zeroward opened this issue 5 months ago • 5 comments

OAuth2-Proxy Version

7.5.1

Provider

keycloak

Current Behaviour of your Problem

I'm attempting to have oauth2-proxy act as an auth proxy for a few of my services that don't have authentication built into them. Currently the flow goes nginx proxy manager -> oauth2-proxy -> service.

I have it working with a single upstream, but am struggling to get it to work with multiple upstreams. I've found some old posts mentioning fixes, but these all seem to be for k8s.

Configuration details or additional information

http_address="0.0.0.0:4180" cookie_secret="" email_domains=["", "", ""] cookie_secure="true" upstreams=["https://subdomain1.local", "https://subdomain2.local"] cookie_domains=["", "", ""] whitelist_domains=["", "", "*"] insecure_oidc_allow_unverified_email="true"

keycloak provider

client_secret="" client_id="" redirect_url="*****"

oidc_issuer_url="*****" provider="oidc" provider_display_name="Keycloak"

cookie_csrf_per_request="true" cookie_csrf_expire="5m" reverse_proxy="true"

Steps To Reproduce

  1. docker-compose up

Expected output:

oauth2-proxy  | [2024/01/12 22:54:18] [main.go:54] invalid configuration:
oauth2-proxy  |   multiple upstreams found with id "/": upstream ids must be unique
oauth2-proxy  |   multiple upstreams found with path "/": upstream paths must be unique

zeroward avatar Jan 12 '24 22:01 zeroward

Regarding your setup, which of the following are you trying to accomplish:

  1. upstream behind oauth2-proxy
user -> nginx -> oauth2-proxy -> upstream
  1. upstream behind nginx with auth_request
               auth
user -> nginx <----> oauth-proxy
          |
          v
       upstream

tuunit avatar Jan 13 '24 18:01 tuunit

Furthermore you cannot protect two upstreams using the same path. https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview#upstreams-configuration

Multiple upstreams can either be configured by supplying a comma separated list to the --upstream parameter, supplying the parameter multiple times or providing a list in the config file.

When multiple upstreams are used routing to them will be based on the path they are set up with.

If you want to protect multiple upstreams through the same oauth2-proxy instance you will have to use the auth_request module in nginx. As described here: https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive

tuunit avatar Jan 13 '24 18:01 tuunit

Hi, did you succeed to make Oauth2-proxy work with nginx's auth_request ? I am trying to do the same thing with Caddy's equivalent, forward_auth. I think that the Oauth2-proxy configuration would even be the same. What happens when you try to go to a protected app with your setup ? I am having "Unauthorized" with the configuration described here : https://github.com/oauth2-proxy/oauth2-proxy/issues/2380. I am very interested if you solve your issue

LeVraiRoiDHyrule avatar Jan 18 '24 20:01 LeVraiRoiDHyrule

I did not get this working and honestly, have no idea what to do. Attempted to implement the fix above to no joy.

zeroward avatar Jan 18 '24 21:01 zeroward

auth_request module in nginx

update of the docs link : https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive

Jean-Baptiste-Lasselle avatar Feb 16 '24 17:02 Jean-Baptiste-Lasselle

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

github-actions[bot] avatar Apr 17 '24 00:04 github-actions[bot]