From ad7e61e8b1165b81ca32dfcda166cdbbab0dd7af Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 20 Aug 2025 15:56:32 +0200 Subject: [PATCH] Set default buffer level for proxy basic conf, which are necessary for OIDC login --- .../templates/headers/buffers.conf.j2 | 6 +++++ .../templates/location/html.conf.j2 | 1 - .../templates/vhost/basic.conf.j2 | 3 ++- .../templates/container.yml.j2 | 2 +- .../templates/endpoint.conf.j2 | 24 +++++++------------ 5 files changed, 17 insertions(+), 19 deletions(-) create mode 100644 roles/srv-proxy-core/templates/headers/buffers.conf.j2 diff --git a/roles/srv-proxy-core/templates/headers/buffers.conf.j2 b/roles/srv-proxy-core/templates/headers/buffers.conf.j2 new file mode 100644 index 00000000..4f6dda5d --- /dev/null +++ b/roles/srv-proxy-core/templates/headers/buffers.conf.j2 @@ -0,0 +1,6 @@ +# Raise the maximal header size to allow huge headers Keycloak for authentification +proxy_buffer_size 16k; +proxy_buffers 8 16k; +proxy_busy_buffers_size 16k; +client_header_buffer_size 8k; +large_client_header_buffers 8 32k; diff --git a/roles/srv-proxy-core/templates/location/html.conf.j2 b/roles/srv-proxy-core/templates/location/html.conf.j2 index 013ed767..73e96fec 100644 --- a/roles/srv-proxy-core/templates/location/html.conf.j2 +++ b/roles/srv-proxy-core/templates/location/html.conf.j2 @@ -1,5 +1,4 @@ {% set location = location | default("/")%} - location {{location}} { {% if oauth2_proxy_enabled | default(false) | bool %} diff --git a/roles/srv-proxy-core/templates/vhost/basic.conf.j2 b/roles/srv-proxy-core/templates/vhost/basic.conf.j2 index 8eafb142..2d4841c2 100644 --- a/roles/srv-proxy-core/templates/vhost/basic.conf.j2 +++ b/roles/srv-proxy-core/templates/vhost/basic.conf.j2 @@ -1,7 +1,8 @@ server { server_name {{ domain }}; - + {% include 'roles/srv-proxy-core/templates/headers/buffers.conf.j2' %} + {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%} {% endif %} diff --git a/roles/web-app-oauth2-proxy/templates/container.yml.j2 b/roles/web-app-oauth2-proxy/templates/container.yml.j2 index 9cb13e55..f7f5fb54 100644 --- a/roles/web-app-oauth2-proxy/templates/container.yml.j2 +++ b/roles/web-app-oauth2-proxy/templates/container.yml.j2 @@ -5,7 +5,7 @@ command: --config /oauth2-proxy.cfg hostname: oauth2-proxy ports: - - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp + - {{ ports.localhost.oauth2_proxy[application_id] }}:4180/tcp volumes: - "{{ docker_compose.directories.volumes }}{{applications | get_app_conf('web-app-oauth2-proxy','configuration_file')}}:/oauth2-proxy.cfg" {% endif %} \ No newline at end of file diff --git a/roles/web-app-oauth2-proxy/templates/endpoint.conf.j2 b/roles/web-app-oauth2-proxy/templates/endpoint.conf.j2 index 78d42d4d..2f2b4f3b 100644 --- a/roles/web-app-oauth2-proxy/templates/endpoint.conf.j2 +++ b/roles/web-app-oauth2-proxy/templates/endpoint.conf.j2 @@ -1,16 +1,8 @@ - {# Include OAuth2 Proxy #} - {# Raise the maximal header size. #} - {# Keycloak uses huge headers for authentification #} - proxy_buffer_size 16k; - proxy_buffers 8 16k; - proxy_busy_buffers_size 16k; - large_client_header_buffers 4 16k; - - # OAuth2-Proxy-Endpoint - location /oauth2/ { - proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } \ No newline at end of file +# OAuth2-Proxy-Endpoint +location /oauth2/ { + proxy_pass http://127.0.0.1:{{ ports.localhost.oauth2_proxy[application_id] }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} \ No newline at end of file