Merge remote-tracking branch 'origin/master' into enhanced_logging
This commit is contained in:
commit
8a2dc3c51d
27
CHANGELOG.md
27
CHANGELOG.md
@ -1,5 +1,28 @@
|
|||||||
# Vx.x.x (Pre-release)
|
# Vx.x.x (Pre-release)
|
||||||
|
|
||||||
|
## Changes since v3.1.0
|
||||||
|
|
||||||
|
# v3.1.0
|
||||||
|
|
||||||
|
## Release highlights
|
||||||
|
|
||||||
|
- Introduction of ARM releases and and general improvements to Docker builds
|
||||||
|
- Improvements to OIDC provider allowing pass-through of ID Tokens
|
||||||
|
- Multiple redirect domains can now be whitelisted
|
||||||
|
- Streamed responses are now flushed periodically
|
||||||
|
|
||||||
|
## Important notes
|
||||||
|
|
||||||
|
- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621)
|
||||||
|
and have cookies larger than the 4kb limit,
|
||||||
|
the cookie splitting pattern has changed and now uses `_` in place of `-` when
|
||||||
|
indexing cookies.
|
||||||
|
This will force users to reauthenticate the first time they use `v3.1.0`.
|
||||||
|
- Streamed responses will now be flushed every 1 second by default.
|
||||||
|
Previously streamed responses were flushed only when the buffer was full.
|
||||||
|
To retain the old behaviour set `--flush-interval=0`.
|
||||||
|
See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details.
|
||||||
|
|
||||||
## Changes since v3.0.0
|
## Changes since v3.0.0
|
||||||
|
|
||||||
- [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
|
- [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
|
||||||
@ -7,12 +30,12 @@
|
|||||||
- Implement token refreshing in OIDC provider
|
- Implement token refreshing in OIDC provider
|
||||||
- Split cookies larger than 4k limit into multiple cookies
|
- Split cookies larger than 4k limit into multiple cookies
|
||||||
- Implement token validation in OIDC provider
|
- Implement token validation in OIDC provider
|
||||||
- [#15](https://github.com/pusher/oauth2_proxy/pull/21) WhitelistDomains (@joelspeed)
|
- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed)
|
||||||
- Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
|
- Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
|
||||||
- [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)
|
- [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)
|
||||||
- Move Docker base image from debian to alpine
|
- Move Docker base image from debian to alpine
|
||||||
- Install ca-certificates in docker image
|
- Install ca-certificates in docker image
|
||||||
- [#23](https://github.com/pusher/oauth2_proxy/pull/21) Flushed streaming responses
|
- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses
|
||||||
- Long-running upstream responses will get flushed every <timeperiod> (1 second by default)
|
- Long-running upstream responses will get flushed every <timeperiod> (1 second by default)
|
||||||
- [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)
|
- [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)
|
||||||
- After a successful login, you will be redirected to your original URL rather than /
|
- After a successful login, you will be redirected to your original URL rather than /
|
||||||
|
32
Makefile
32
Makefile
@ -1,6 +1,6 @@
|
|||||||
include .env
|
include .env
|
||||||
BINARY := oauth2_proxy
|
BINARY := oauth2_proxy
|
||||||
VERSION := $(shell git describe --always --long --dirty --tags 2>/dev/null || echo "undefined")
|
VERSION := $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined")
|
||||||
.NOTPARALLEL:
|
.NOTPARALLEL:
|
||||||
|
|
||||||
.PHONY: all
|
.PHONY: all
|
||||||
@ -47,17 +47,31 @@ $(BINARY):
|
|||||||
|
|
||||||
.PHONY: docker
|
.PHONY: docker
|
||||||
docker:
|
docker:
|
||||||
docker build -f Dockerfile -t pusher/oauth2_proxy:latest .
|
docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest .
|
||||||
|
|
||||||
.PHONY: docker-all
|
.PHONY: docker-all
|
||||||
docker-all: docker
|
docker-all: docker
|
||||||
docker build -f Dockerfile -t pusher/oauth2_proxy:latest-amd64 .
|
docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest-amd64 .
|
||||||
docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION} .
|
docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION} .
|
||||||
docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION}-amd64 .
|
docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION}-amd64 .
|
||||||
docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:latest-arm64 .
|
docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:latest-arm64 .
|
||||||
docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:${VERSION}-arm64 .
|
docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:${VERSION}-arm64 .
|
||||||
docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:latest-armv6 .
|
docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:latest-armv6 .
|
||||||
docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:${VERSION}-armv6 .
|
docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:${VERSION}-armv6 .
|
||||||
|
|
||||||
|
.PHONY: docker-push
|
||||||
|
docker-push:
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:latest
|
||||||
|
|
||||||
|
.PHONY: docker-push-all
|
||||||
|
docker-push-all: docker-push
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:latest-amd64
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:${VERSION}
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:${VERSION}-amd64
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:latest-arm64
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:${VERSION}-arm64
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:latest-armv6
|
||||||
|
docker push quay.io/pusher/oauth2_proxy:${VERSION}-armv6
|
||||||
|
|
||||||
.PHONY: test
|
.PHONY: test
|
||||||
test: dep lint
|
test: dep lint
|
||||||
|
17
README.md
17
README.md
@ -19,17 +19,17 @@ A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).
|
|||||||
|
|
||||||
1. Choose how to deploy:
|
1. Choose how to deploy:
|
||||||
|
|
||||||
a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.0.0`)
|
a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.1.0`)
|
||||||
|
|
||||||
b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
||||||
|
|
||||||
c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy)
|
c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy) (AMD64, ARMv6 and ARM64 tags available)
|
||||||
|
|
||||||
Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.
|
Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.
|
||||||
|
|
||||||
```
|
```
|
||||||
sha256sum -c sha256sum.txt 2>&1 | grep OK
|
sha256sum -c sha256sum.txt 2>&1 | grep OK
|
||||||
oauth2_proxy-3.0.0.linux-amd64: OK
|
oauth2_proxy-3.1.0.linux-amd64: OK
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Select a Provider and Register an OAuth Application with a Provider
|
2. Select a Provider and Register an OAuth Application with a Provider
|
||||||
@ -203,6 +203,7 @@ Usage of oauth2_proxy:
|
|||||||
-custom-templates-dir string: path to custom html templates
|
-custom-templates-dir string: path to custom html templates
|
||||||
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
|
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
|
||||||
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||||
|
-flush-interval: period between flushing response buffers when streaming responses (default "1s")
|
||||||
-footer string: custom footer string. Use "-" to disable default footer.
|
-footer string: custom footer string. Use "-" to disable default footer.
|
||||||
-github-org string: restrict logins to members of this organisation
|
-github-org string: restrict logins to members of this organisation
|
||||||
-github-team string: restrict logins to members of any of these teams (slug), separated by a comma
|
-github-team string: restrict logins to members of any of these teams (slug), separated by a comma
|
||||||
@ -481,19 +482,19 @@ server {
|
|||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
# When using the --set-authorization flag, some provider's cookies can exceed the 4kb
|
# When using the --set-authorization flag, some provider's cookies can exceed the 4kb
|
||||||
# limit and so the OAuth2 Proxy splits these into multiple parts.
|
# limit and so the OAuth2 Proxy splits these into multiple parts.
|
||||||
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
|
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
|
||||||
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
|
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
|
||||||
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
|
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
|
||||||
|
|
||||||
# Extract the Cookie attributes from the first Set-Cookie header and append them
|
# Extract the Cookie attributes from the first Set-Cookie header and append them
|
||||||
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
|
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
|
||||||
if ($auth_cookie ~* "(; .*)") {
|
if ($auth_cookie ~* "(; .*)") {
|
||||||
set $auth_cookie_name_0 $auth_cookie;
|
set $auth_cookie_name_0 $auth_cookie;
|
||||||
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
|
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Send both Set-Cookie headers now if there was a second part
|
# Send both Set-Cookie headers now if there was a second part
|
||||||
if ($auth_cookie_name_upstream_1) {
|
if ($auth_cookie_name_upstream_1) {
|
||||||
add_header Set-Cookie $auth_cookie_name_0;
|
add_header Set-Cookie $auth_cookie_name_0;
|
||||||
|
Loading…
Reference in New Issue
Block a user