From 51852c045a74210d6405dcc67fa0af83301e2b0b Mon Sep 17 00:00:00 2001 From: Jehiah Czebotar Date: Thu, 2 Jul 2015 23:21:59 -0400 Subject: [PATCH] Doc updates clarifying external Load Balancer config --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3dd94ea..57777f2 100644 --- a/README.md +++ b/README.md @@ -160,11 +160,15 @@ The command line to run `oauth2_proxy` in this configuration would look like thi ``` -2) Configure SSL Termination with [Nginx](http://nginx.org/) (example config below) or Amazon ELB, or .... +2) Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or .... -Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`. -`oauth2_proxy` which will then authenticate requests for an upstream application. The external -endpoint for this example would be `https://internal.yourcompany.com/`. +Because `oauth2_proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an +external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or +`--http-address="http://:4180"`. + +Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`. +`oauth2_proxy` will then authenticate requests for an upstream application. The external endpoint for this example +would be `https://internal.yourcompany.com/`. An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security): @@ -175,7 +179,7 @@ server { server_name internal.yourcompany.com; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/cert.key; - add_header Strict-Transport-Security max-age=1209600; + add_header Strict-Transport-Security max-age=2592000; location / { proxy_pass http://127.0.0.1:4180;