diff options
| author | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2023-12-09 23:43:09 +0100 |
|---|---|---|
| committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-03-02 23:07:48 +0100 |
| commit | 75c7e616012c7e3fbb498a3f11a2083856abc033 (patch) | |
| tree | 95ca8827595a086374a2983a53c7f8f96e84de5e | |
| parent | 8ba995cb305900425103687cfd346ffd6beaf35d (diff) | |
nixos/oauth2_proxy_nginx: allow placing the login page itself under a separate domain
OIDC provider usually requires a callback URL which can now be set to one domain when securing multiple virtualHosts under different (sub)domains
| -rw-r--r-- | nixos/modules/services/security/oauth2_proxy_nginx.nix | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index b8e45f67cf783..dd3ded6259c4a 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -13,6 +13,17 @@ in The address of the reverse proxy endpoint for oauth2_proxy ''; }; + + domain = mkOption { + type = types.str; + description = lib.mdDoc '' + The domain under which the oauth2_proxy will be accesible and the path of cookies are set to. + This setting must be set to ensure back-redirects are working properly + if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain` + or multiple {option}`services.oauth2_proxy.nginx.virtualHosts` that are not on the same domain. + ''; + }; + virtualHosts = mkOption { type = types.listOf types.str; default = []; @@ -21,22 +32,26 @@ in ''; }; }; + config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge - ((optional (cfg.virtualHosts != []) { - recommendedProxySettings = true; # needed because duplicate headers - }) ++ (map (vhost: { - virtualHosts.${vhost} = { - locations."/oauth2/" = { + + config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2_proxy.enable) (mkMerge ([ + { + virtualHosts.${cfg.domain}.locations."/oauth2/" = { proxyPass = cfg.proxy; extraConfig = '' proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; ''; }; - locations."/oauth2/auth" = { + } + ] ++ optional (cfg.virtualHosts != []) { + recommendedProxySettings = true; # needed because duplicate headers + } ++ (map (vhost: { + virtualHosts.${vhost}.locations = { + "/oauth2/auth" = { proxyPass = cfg.proxy; extraConfig = '' proxy_set_header X-Scheme $scheme; @@ -45,9 +60,10 @@ in proxy_pass_request_body off; ''; }; - locations."/".extraConfig = '' + "@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri"; + "/".extraConfig = '' auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; + error_page 401 = @redirectToAuth2ProxyLogin; # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag @@ -60,7 +76,6 @@ in auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; ''; - }; }) cfg.virtualHosts))); } |