Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Trying a suggested method for multiple upstreams.. #244

Open
ChristopherJacob opened this issue Apr 27, 2016 · 1 comment
Open

Trying a suggested method for multiple upstreams.. #244

ChristopherJacob opened this issue Apr 27, 2016 · 1 comment

Comments

@ChristopherJacob
Copy link

I am attempting the method described in another issue response of...
nginx port 80/443 -> oauth2_proxy port 4180 -> nginx port 5180 -> various upstreams

I have the nginx listening on 443, and it passes to oauth2_proxy I authenticate and then hit a 404 error back from nginx. it looks like it's trying to get
https://my.internal.server/oauth2/callback?state=/&code=4/XXXXXXXXXXXX
instead of just hitting
https://my.internal.server

in my oauth_proxy config I have...
https_address = "127.0.0.1:4180
and

 upstreams = [
     "https:/my.internal.server:5180"
 ]

in my nginx conf I have...

server {
    listen *:443;
    server_name my.internal.server;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass          https://127.0.0.1:4180;
    proxy_read_timeout  90;

    proxy_redirect      https://127.0.0.1 https://my.internal.server;

    }
}

and

server {
    listen       *:5180; 
    server_name  my.internal.server;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_read_timeout  90;

    proxy_redirect      https://10.0.1.37 https://my.internal.server;

    }
}

any ideas?
@ploxiln
Copy link
Contributor

ploxiln commented Apr 27, 2016
edited
Loading

https://my.internal.server/oauth2/callback should be handled by oauth2_proxy (and it's a necessary part of the oauth2 exchange), look in the oauth2_proxy logs to see what it says about it.

You can simplify your oauth2_proxy setup by not using https to connect to it. It's listening only on localhost and nginx is connecting directly to localhost so it's probably fine.

You can simplify your internal port-5180 nginx server block by listening only on localhost (127.0.0.1:5180), in which case it's probably safe to use plain http for that as well (instead of ssl/tls).

It's probably worth mentioning that you didn't include any proxy_pass statement in the nginx port-5180 server block you posted ... presumably your actual test config has it.

Finally, you shouldn't need the proxy_redirect line for oauth2_proxy. It should use the host header it got when constructing Location headers. (And whether you need the proxy_redirect line in the :5180 nginx server block is dependent on the application - if it's decently written, you don't, since you pass the original Host header all the way through.)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ploxiln @ChristopherJacob