From c35eb10343615e284403c17d21c29bd37df8c4fe Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sun, 26 Jan 2025 15:15:23 +0100 Subject: [PATCH] implemented functioning oauth2-proxy --- roles/docker-oauth2-proxy/tasks/main.yml | 6 +++++ .../templates/container.yml.j2 | 24 +++++++++++++++++++ .../templates/oauth2-proxy-keycloak.cfg.j2 | 18 ++++++++++++++ roles/docker-openproject/tasks/main.yml | 6 +++++ .../templates/docker-compose.yml.j2 | 2 +- .../templates/domain.conf.j2 | 15 ++++++++---- templates/docker/services/oauth2-proxy.yml.j2 | 15 ------------ 7 files changed, 66 insertions(+), 20 deletions(-) create mode 100644 roles/docker-oauth2-proxy/tasks/main.yml create mode 100644 roles/docker-oauth2-proxy/templates/container.yml.j2 create mode 100644 roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 delete mode 100644 templates/docker/services/oauth2-proxy.yml.j2 diff --git a/roles/docker-oauth2-proxy/tasks/main.yml b/roles/docker-oauth2-proxy/tasks/main.yml new file mode 100644 index 00000000..adae50be --- /dev/null +++ b/roles/docker-oauth2-proxy/tasks/main.yml @@ -0,0 +1,6 @@ +- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}" + copy: + src: oauth2-proxy-keycloak.cfg.j2 + dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg" +# notify: +# - docker compose project setup \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/container.yml.j2 b/roles/docker-oauth2-proxy/templates/container.yml.j2 new file mode 100644 index 00000000..b7722a5e --- /dev/null +++ b/roles/docker-oauth2-proxy/templates/container.yml.j2 @@ -0,0 +1,24 @@ + oauth2-proxy: + image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1 + #image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}} + restart: {{docker_restart_policy}} + command: --config /oauth2-proxy.cfg + hostname: oauth2-proxy + #environment: + # OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub). + # OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world" + # OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application. + # OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application. + # OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`. + # #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com". + # OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. + # OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects. + ports: + # - "127.0.0.1:{{oauth2_proxy_port}}:4180" + - 4180:4180/tcp + volumes: + - "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg" +{% include 'templates/docker/container/networks.yml.j2' %} +# keycloak: {} +# httpbin: {} +# oauth2-proxy: {} \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 new file mode 100644 index 00000000..ad32ee6c --- /dev/null +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -0,0 +1,18 @@ +http_address="0.0.0.0:4180" +cookie_secret="{{oauth2_proxy_cookie_secret}}" +email_domains="{{primary_domain}}" +cookie_secure="false" +upstreams="http://proxy:80" +cookie_domains=["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains. +whitelist_domains=[".{{primary_domain}}"] # Required to allow redirection back to original requested target. + +# keycloak provider +client_secret="{{oauth2_proxy_client_secret}}" +client_id="{{domain}}" +#redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback" +redirect_url="https://{{domain}}/oauth2/callback" + +# in this case oauth2-proxy is going to visit +oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}" +provider="oidc" +provider_display_name="Keycloak" \ No newline at end of file diff --git a/roles/docker-openproject/tasks/main.yml b/roles/docker-openproject/tasks/main.yml index d91645c3..f0cd3079 100644 --- a/roles/docker-openproject/tasks/main.yml +++ b/roles/docker-openproject/tasks/main.yml @@ -8,6 +8,12 @@ - name: "include tasks update-repository-with-docker-compose.yml" include_tasks: update-repository-with-docker-compose.yml +- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}" + template: + src: roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 + dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg" + notify: + - docker compose project setup - name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}" copy: diff --git a/roles/docker-openproject/templates/docker-compose.yml.j2 b/roles/docker-openproject/templates/docker-compose.yml.j2 index c4e0f96a..4ab67cd1 100644 --- a/roles/docker-openproject/templates/docker-compose.yml.j2 +++ b/roles/docker-openproject/templates/docker-compose.yml.j2 @@ -22,7 +22,7 @@ services: {% include 'templates/docker/services/' + database_type + '.yml.j2' %} -{% include 'templates/docker/services/oauth2-proxy.yml.j2' %} +{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %} cache: image: memcached diff --git a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 index 6499da4a..56c07ef2 100644 --- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 @@ -2,9 +2,16 @@ server { server_name {{domain}}; - # Include OAuth2 Proxy {% if oauth2_proxy_active | bool %} - # OAuth2-Proxy-Endpunkte + # Include OAuth2 Proxy + # Raise the maximal header size. + # Keycloak uses huge headers for authentification + proxy_buffer_size 16k; + proxy_buffers 8 16k; + proxy_busy_buffers_size 16k; + large_client_header_buffers 4 16k; + + # OAuth2-Proxy-Endpoint location /oauth2/ { proxy_pass http://127.0.0.1:{{oauth2_proxy_port}}; proxy_set_header Host $host; @@ -14,13 +21,13 @@ server } {% endif %} - # Include Matomo Tracking Code {% if nginx_matomo_tracking | bool %} + # Include Matomo Tracking Code {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %} {% endif %} - # Additional Domain Specific Configuration {% if nginx_docker_reverse_proxy_extra_configuration is defined %} + # Additional Domain Specific Configuration {{nginx_docker_reverse_proxy_extra_configuration}} {% endif %} diff --git a/templates/docker/services/oauth2-proxy.yml.j2 b/templates/docker/services/oauth2-proxy.yml.j2 deleted file mode 100644 index 7e574178..00000000 --- a/templates/docker/services/oauth2-proxy.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ - oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}} - restart: {{docker_restart_policy}} - environment: - OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub). - OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world" - OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application. - OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application. - OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`. - #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com". - OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. - OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects. - ports: - - "127.0.0.1:{{oauth2_proxy_port}}:4180" -{% include 'templates/docker/container/networks.yml.j2' %} \ No newline at end of file