diff options
| author | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2023-12-19 21:00:20 +0100 |
|---|---|---|
| committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-04-17 23:11:49 +0200 |
| commit | a911604762beaccb2efdc64f993fb8dad6635ecf (patch) | |
| tree | cd31a7a202719b47f5151d27f5b54b4f1ccab35e | |
| parent | 38142559737cbcff539fcbcdbdba5281a870469d (diff) | |
nixos/oauth2-proxy-nginx: lift auth_request to http block
With this change now all location blocks are protected by oauth2-proxy and not only /
| -rw-r--r-- | nixos/modules/services/security/oauth2_proxy_nginx.nix | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 1178b70e43438..87ea61276837c 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -28,7 +28,8 @@ in type = types.listOf types.str; default = []; description = '' - A list of nginx virtual hosts to put behind the oauth2 proxy + A list of nginx virtual hosts to put behind the oauth2 proxy. + You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting. ''; }; }; @@ -50,18 +51,27 @@ in ] ++ optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers } ++ (map (vhost: { - virtualHosts.${vhost}.locations = { - "/oauth2/auth" = { - proxyPass = cfg.proxy; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; + virtualHosts.${vhost} = { + locations = { + "/oauth2/auth" = { + proxyPass = cfg.proxy; + extraConfig = '' + auth_request off; + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + "@redirectToAuth2ProxyLogin" = { + return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri"; + extraConfig = '' + auth_request off; + ''; + }; }; - "@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri"; - "/".extraConfig = '' + + extraConfig = '' auth_request /oauth2/auth; error_page 401 = @redirectToAuth2ProxyLogin; |