Created
February 25, 2022 20:43
-
-
Save akrauza/aef62adacbd026fe83deeaa858e62eea to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
./oauth2-proxy --config=config.cfg --provider=adfs --login-url=https://adfs.web.krauza.cloud/adfs/oauth2/authorize --redeem-url=https://adfs.web.krauza.cloud/adfs/oauth2/token --oidc-issuer-url=https://adfs.web.krauza.cloud/adfs --whitelist-domain="adfs.web.krauza.cloud" | |
## OAuth2 Proxy Config File | |
## https://github.com/oauth2-proxy/oauth2-proxy | |
## <addr>:<port> to listen on for HTTP/HTTPS clients | |
http_address = "0.0.0.0:4180" | |
# https_address = ":443" | |
## Are we running behind a reverse proxy? Will not accept headers like X-Real-Ip unless this is set. | |
# reverse_proxy = true | |
## TLS Settings | |
# tls_cert_file = "" | |
# tls_key_file = "" | |
## the OAuth Redirect URL. | |
# defaults to the "https://" + requested host header + "/oauth2/callback" | |
redirect_url = "http://adk-ws-mbp-01.pool30.pfs.krauza.cloud:4180/oauth2/callback" | |
## the http url(s) of the upstream endpoint. If multiple, routing is based on path | |
upstreams = [ | |
"https://10.1.10.10:443/" | |
] | |
## Logging configuration | |
#logging_filename = "" | |
#logging_max_size = 100 | |
#logging_max_age = 7 | |
#logging_local_time = true | |
#logging_compress = false | |
#standard_logging = true | |
#standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}" | |
#request_logging = true | |
#request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}" | |
#auth_logging = true | |
#auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}" | |
## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream | |
# pass_basic_auth = true | |
# pass_user_headers = true | |
## pass the request Host Header to upstream | |
## when disabled the upstream Host is used as the Host Header | |
# pass_host_header = true | |
## Email Domains to allow authentication for (this authorizes any email on this domain) | |
## for more granular authorization use `authenticated_emails_file` | |
## To authorize any email addresses use "*" | |
email_domains = [ | |
"*" | |
] | |
## The OAuth Client ID, Secret | |
client_id = "acfec2a3-978a-4f2a-a639-ccb57a1ddd15" | |
client_secret = "RRP-r2nhjZPO-_qC1cdRyiGQHicBnkkwEo0URJS2" | |
## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token" | |
# pass_access_token = false | |
## Authenticated Email Addresses File (one email per line) | |
# authenticated_emails_file = "" | |
## Htpasswd File (optional) | |
## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption | |
## enabling exposes a username/login signin form | |
# htpasswd_file = "" | |
## bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods | |
# skip_auth_routes = [ | |
# "GET=^/probe", | |
# "^/metrics" | |
# ] | |
## Templates | |
## optional directory with custom sign_in.html and error.html | |
# custom_templates_dir = "" | |
## skip SSL checking for HTTPS requests | |
ssl_insecure_skip_verify = false | |
## Cookie Settings | |
## Name - the cookie name | |
## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes | |
## for use with an AES cipher when cookie_refresh or pass_access_token | |
## is set | |
## Domain - (optional) cookie domain to force cookies to (ie: .yourcompany.com) | |
## Expire - (duration) expire timeframe for cookie | |
## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set. | |
## Should be less than cookie_expire; set to 0 to disable. | |
## On refresh, OAuth token is re-validated. | |
## (ie: 1h means tokens are refreshed on request 1hr+ after it was set) | |
## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended) | |
## HttpOnly - httponly cookies are not readable by javascript (recommended) | |
cookie_name = "_oauth2_proxy" | |
cookie_secret = "N4mOtBD-KkS1t09bM30Byhk08I1KgIm_4Hhf0h5K2Rw=" | |
cookie_domains = ".krauza.cloud" | |
# cookie_expire = "168h" | |
# cookie_refresh = "" | |
# cookie_secure = true | |
# cookie_httponly = true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment