-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Documenation for multiple upstreams? #12
Comments
It's true, the documentation of multiple upstreams should be improved. The upstreams can be on multiple domains. The path is always passed directly through the proxy, it isn't munged. If you include a path in the upstream, like So, for example, if google_auth_proxy was listening on port 80 and had |
@ploxiln, this would work well if everything is being served from the same FQDN. Is there currently a way to get this to work with virtual domains? For example if I have the following virtual servers configured in nginx: host1.mydomain.com > localhost:8081 how would I proxy multiple domains in such a way as to retain the routing after the client is redirected to the OAuth callback URL? host1.mydomain.com > localhost:4180 > localhost:8081 |
You're right, the current mechanism only supports distinguishing based on path, not based on host. |
i'm presently starting multiple proxies to handle multiple virtual servers for the same host, to ensure the URLs are portable across hosts. i get the feeling this won't scale well though. thank you for the clarification though. |
hey folks,
upstream google-auth {
least_conn;
server localhost:4180;
}
server {
listen *:8080;
server_name ~^auth.(?<domain>internal.*)$;
location = /oauth2/callback {
proxy_pass http://google-auth;
}
location ~/(?<sub>[^/]+)(?<remaining_uri>.*)$ {
rewrite ^ $scheme://$sub.$domain$remaining_uri;
}
}
server {
listen *:8080;
server_name ~^(.+).internal.*;
location = /oauth2/start {
proxy_pass http://google-auth/oauth2/start?rd=%2F$1;
}
location / {
proxy_pass http://google-auth;
}
} # send to elasticsearch
upstream es {
least_conn;
server localhost:9200
}
server {
listen *:8081;
server_name es.internal.*;
location / {
proxy_pass http://es;
proxy_redirect off;
}
} # send to consul
upstream consul {
least_conn;
server localhost:8500
}
server {
listen *:8081;
server_name consul.internal.*;
location / {
proxy_pass http://consul;
proxy_redirect off;
}
}
--upstream="http://localhost:8081" \
--redirect-url="https://auth.internal.example.com/oauth2/callback" \
--google-apps-domain="example.com" \
--cookie-domain=".internal.example.com" \
--client-id=$GOOGLE_AUTH_CLIENT_ID \
--client-secret=$GOOGLE_AUTH_CLIENT_SECRET
sorry, this is a bit hinky. I hope I rewrote the steps in a generic manner and that it isn't tied to my particular setup (aws, elb, docker, consul, consul-template, etc.) let me know if you have questions or thoughts on how to simplify this! |
Great solution @skippy !!! Thanks, |
Hi all (again), BTW, is there an IRC/google-groups/slack/other channels for discussion ? Thanks, |
All traffic needs to be proxied through oauth2_proxy. Otherwise, what decides what traffic has already authenticated? oauth2_proxy looks at a cookie in the request in order to know. |
Hey all, I'm finding the current upstream configuration options fairly limiting. For example, my current use-case is using oauth2-proxy as a single proxy for all our company's internal apps: https://internal.mycompany.com/metrics -> internally built rails app Any apps we built internally, it's easy enough to add a prefix, so that as oauth2-proxy routes all traffic from For jenkins, we've found configuration options to also add a prefix. For other open source projects, like rabbitmq, it's not as simple to force it to serve it's root with a prefix, and we have to resort to wrapping it with an additional proxy to strip out the prefix. Perhaps having an option to specify upstreams with a hash rather an array could make the routing more flexible while still being fairly simple?:
|
As part of #142, I added some documentation to the README file on how the upstreams can be configured, you can find it under the Upstreams Configuration header. If that's sufficient, I guess this issue can be closed. |
📝++ |
A solution that worked for me: 1. Oauth2_proxy Configuration
2. Nginx ConfigurationsSites-enabled: Google-auth Configuration
Sites-enabled: Upstreams Configuration
Nginx.conf Settings for Logging
|
I've read through the README and looked at the code, although I'm still pretty new to Go. I don't understand how multiple upstreams is suppose to work? Can the upstreams be multiple different domains? Or only unique uri?
"If multiple, routing is based on path" is a little vague.
Any help would be appreciated.
The text was updated successfully, but these errors were encountered: