https://github.com/status-im/infra-role-oauth-proxy

Ansible role for configuring oauth2_proxy Docker container
https://github.com/status-im/infra-role-oauth-proxy

ansible-role infra

Last synced: about 1 month ago
JSON representation

Ansible role for configuring oauth2_proxy Docker container

• Host: GitHub
• URL: https://github.com/status-im/infra-role-oauth-proxy
• Owner: status-im
• Created: 2020-02-03T10:24:28.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2024-11-28T14:43:57.000Z (3 months ago)
• Last Synced: 2025-01-01T20:08:51.238Z (about 1 month ago)
• Topics: ansible-role, infra
• Language: Jinja
• Homepage: https://github.com/pusher/oauth2_proxy
• Size: 49.8 KB
• Stars: 1
• Watchers: 9
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Description

This role configures an [oauth2_proxy](https://github.com/pusher/oauth2_proxy) container for GitHub based OAuth.

# Configuration

These settings are all mandatory:

```yaml

oauth_service_name: 'example-oauth'

oauth_service_path: '/docker/example/oauth'

oauth_domain: 'oauth.example.org'

oauth_upstream_port: 4321

oauth_local_port: 1234

oauth_cookie_secret: '123qweASD'

oauth_provider: 'github'

oauth_id: 'some-id'

oauth_secret: 'some-secret'

```

Some options are optional:

```yaml

oauth_local_addr: '0.0.0.0'

oauth_cont_volumes: ['/docker/example/www:/www']

oauth_upstream_url: 'file:///www#/'

oauth_cont_networks: ['other-container-network']

```

Different providers have different mandatory settings.

### GitHub

```yaml

oauth_github_org: 'example-org'

oauth_github_teams: ['devops', 'security']

```

### Google

```yaml

oauth_google_domain: 'example.org'

```

### Keycloak

```yaml

oauth_keycloak_url: 'https://keycloak.example.org'

oauth_keycloak_realm: 'example-org'

oauth_keycloak_domain: 'example.org'

oauth_keycloak_groups: ['admins', 'security']

oauth_keycloak_roles: ['admin']

oauth_scope: 'openid'

```

In order for Keycloak client to work with oauth-proxy, the way to set up the Keycloak client is described [here](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc/) under `Keycloak new admin console`. Important part is to configure the dedicated audience mapper for your client.

### Nested docker Compose

To include the `oauth-proxy` into another docker compose:

```yaml

oauth_compose_skip_start: true

oauth_upstream_addr:  'container-webui'

```

# Management

The container is reated using Docker Compose:

```

[email protected]:/docker/example % dc ps

       Name                Command               State           Ports         

-------------------------------------------------------------------------------

example-oauth   /bin/oauth2-proxy --provid ...   Up      0.0.0.0:9292->9292/tcp

```

# Known issues

Provider: `keycloak-oidc`, Service: [`Prometheus UI`](https://prometheus.infra.status.im/)

The setup is composed out of Nginx proxy in front of OAuth2 proxy container. After logging in, we got `502 Bad Gateway` on Nginx proxy. By inspecting Nginx error logs there was this error:

```

2024/09/13 12:27:40 [error] 1699601#1699601: *28212 upstream sent too big header while reading response header from upstream...

```

We just had to increase proxy buffer sizes in the Nginx config and everything was working normal:

```

  proxy_buffering on;

  proxy_buffers 16 256k;

  proxy_buffer_size 128k;

```