forked from mirrors/nixpkgs
cc26d8592f
Fixes redirection after signing in when you use a single oauth2_proxy instance for multiple domains. X-Auth-Request-Redirect header is used to decide which URL to redirect to after signing in. Specifying `request_uri` is enough in case you need to redirect to the same domain that serves oauth2 callback endpoint, but with multiple domains the you should include the scheme and the host.
65 lines
2.1 KiB
Nix
65 lines
2.1 KiB
Nix
{ config, lib, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.services.oauth2_proxy.nginx;
|
|
in
|
|
{
|
|
options.services.oauth2_proxy.nginx = {
|
|
proxy = mkOption {
|
|
type = types.str;
|
|
default = config.services.oauth2_proxy.httpAddress;
|
|
description = ''
|
|
The address of the reverse proxy endpoint for oauth2_proxy
|
|
'';
|
|
};
|
|
virtualHosts = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
description = ''
|
|
A list of nginx virtual hosts to put behind the oauth2 proxy
|
|
'';
|
|
};
|
|
};
|
|
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
|
|
enable = true;
|
|
};
|
|
config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {
|
|
recommendedProxySettings = true; # needed because duplicate headers
|
|
}) ++ (map (vhost: {
|
|
virtualHosts.${vhost} = {
|
|
locations."/oauth2/" = {
|
|
proxyPass = cfg.proxy;
|
|
extraConfig = ''
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
|
'';
|
|
};
|
|
locations."/oauth2/auth" = {
|
|
proxyPass = cfg.proxy;
|
|
extraConfig = ''
|
|
proxy_set_header X-Scheme $scheme;
|
|
# nginx auth_request includes headers but not body
|
|
proxy_set_header Content-Length "";
|
|
proxy_pass_request_body off;
|
|
'';
|
|
};
|
|
locations."/".extraConfig = ''
|
|
auth_request /oauth2/auth;
|
|
error_page 401 = /oauth2/sign_in;
|
|
|
|
# pass information via X-User and X-Email headers to backend,
|
|
# requires running with --set-xauthrequest flag
|
|
auth_request_set $user $upstream_http_x_auth_request_user;
|
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
|
proxy_set_header X-User $user;
|
|
proxy_set_header X-Email $email;
|
|
|
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
add_header Set-Cookie $auth_cookie;
|
|
'';
|
|
|
|
};
|
|
}) cfg.virtualHosts));
|
|
}
|