Refactored OAuth2 Proxy Configuration

2025-02-22 12:29:39 +01:00 · 2025-02-19 03:58:21 +01:00 · 2025-02-19 03:58:21 +01:00 · 1d360dfa95
commit 1d360dfa95
parent 74d8dad94c
4 changed files with 27 additions and 18 deletions
--- a/roles/docker-oauth2-proxy/templates/endpoint.conf.j2
+++ b/roles/docker-oauth2-proxy/templates/endpoint.conf.j2
@ -0,0 +1,16 @@
+  # Include OAuth2 Proxy
+  # Raise the maximal header size.
+  # Keycloak uses huge headers for authentification 
+  proxy_buffer_size 16k;
+  proxy_buffers 8 16k;
+  proxy_busy_buffers_size 16k;
+  large_client_header_buffers 4 16k;
+
+  # OAuth2-Proxy-Endpoint
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }
--- a/roles/docker-oauth2-proxy/templates/following_directives.conf.j2
+++ b/roles/docker-oauth2-proxy/templates/following_directives.conf.j2
@ -0,0 +1,9 @@
+# The following directives enforce OAuth2 authentication:
+
+auth_request /oauth2/auth;
+# This directive issues an internal sub-request to '/oauth2/auth' for every incoming request.
+# The sub-request checks if the client is authenticated.
+
+error_page 401 = /oauth2/start;
+# If the authentication check fails (i.e., a 401 Unauthorized is returned),
+# this directive redirects the client to '/oauth2/start', which typically initiates the OAuth2 login process.
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -3,22 +3,7 @@ server
  server_name {{domain}};

  {% if oauth2_proxy_active | bool %}
-  # Include OAuth2 Proxy
-  # Raise the maximal header size.
-  # Keycloak uses huge headers for authentification 
-  proxy_buffer_size 16k;
-  proxy_buffers 8 16k;
-  proxy_busy_buffers_size 16k;
-  large_client_header_buffers 4 16k;
-
-  # OAuth2-Proxy-Endpoint
-  location /oauth2/ {
-      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-  }
+    {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
  {% endif %}

  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@ -1,8 +1,7 @@
 location /
 {
  {% if oauth2_proxy_active | bool %}
-  auth_request /oauth2/auth;
-  error_page 401 = /oauth2/start;
+    {% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%}
  {% endif %}

  proxy_pass http://127.0.0.1:{{http_port}}/;