Merge pull request #71 from jehiah/cookie_secure_flag_71

Rename flag to set secure (https) cookies
This commit is contained in:
Jehiah Czebotar 2015-03-19 14:49:11 -04:00
commit d5169f92f7
5 changed files with 35 additions and 25 deletions

View File

@ -64,9 +64,11 @@ Usage of google_auth_proxy:
-config="": path to config file -config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)* -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie -cookie-expire=168h0m0s: expire timeframe for cookie
-cookie-httponly=true: set HttpOnly cookie -cookie-httponly=true: set HttpOnly cookie flag
-cookie-https-only=true: set HTTPS only cookie -cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
-cookie-secret="": the seed string for secure cookies -cookie-secret="": the seed string for secure cookies
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times) -google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
@ -75,7 +77,6 @@ Usage of google_auth_proxy:
-pass-host-header=true: pass the request Host Header to upstream -pass-host-header=true: pass the request Host Header to upstream
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times) -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-custom templates-dir="": path to custom html templates
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-version=false: print version string -version=false: print version string
``` ```
@ -120,7 +121,7 @@ The command line to run `google_auth_proxy` would look like this:
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
--cookie-https-only=true \ --cookie-secure=true \
--client-id=... \ --client-id=... \
--client-secret=... --client-secret=...
``` ```

View File

@ -49,5 +49,5 @@
# cookie_secret = "" # cookie_secret = ""
# cookie_domain = "" # cookie_domain = ""
# cookie_expire = "168h" # cookie_expire = "168h"
# cookie_https_only = true # cookie_secure = true
# cookie_httponly = true # cookie_httponly = true

View File

@ -43,8 +43,9 @@ func main() {
flagSet.String("cookie-secret", "", "the seed string for secure cookies") flagSet.String("cookie-secret", "", "the seed string for secure cookies")
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie") flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie") flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
flagSet.Parse(os.Args[1:]) flagSet.Parse(os.Args[1:])

View File

@ -27,7 +27,7 @@ type OauthProxy struct {
CookieSeed string CookieSeed string
CookieKey string CookieKey string
CookieDomain string CookieDomain string
CookieHttpsOnly bool CookieSecure bool
CookieHttpOnly bool CookieHttpOnly bool
CookieExpire time.Duration CookieExpire time.Duration
Validator func(string) bool Validator func(string) bool
@ -98,12 +98,18 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
if domain == "" { if domain == "" {
domain = "<default>" domain = "<default>"
} }
log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain) if !opts.CookieHttpsOnly {
log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
opts.CookieSecure = opts.CookieHttpsOnly
}
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
return &OauthProxy{ return &OauthProxy{
CookieKey: "_oauthproxy", CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret, CookieSeed: opts.CookieSecret,
CookieDomain: opts.CookieDomain, CookieDomain: opts.CookieDomain,
CookieHttpsOnly: opts.CookieHttpsOnly, CookieSecure: opts.CookieSecure,
CookieHttpOnly: opts.CookieHttpOnly, CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire, CookieExpire: opts.CookieExpire,
Validator: validator, Validator: validator,
@ -130,7 +136,7 @@ func (p *OauthProxy) GetRedirectUrl(host string) string {
var u url.URL var u url.URL
u = *p.redirectUrl u = *p.redirectUrl
if u.Scheme == "" { if u.Scheme == "" {
if p.CookieHttpsOnly { if p.CookieSecure {
u.Scheme = "https" u.Scheme = "https"
} else { } else {
u.Scheme = "http" u.Scheme = "http"
@ -265,7 +271,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
Path: "/", Path: "/",
Domain: domain, Domain: domain,
HttpOnly: p.CookieHttpOnly, HttpOnly: p.CookieHttpOnly,
Secure: p.CookieHttpsOnly, Secure: p.CookieSecure,
Expires: time.Now().Add(p.CookieExpire), Expires: time.Now().Add(p.CookieExpire),
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)

View File

@ -24,7 +24,8 @@ type Options struct {
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
Upstreams []string `flag:"upstream" cfg:"upstreams"` Upstreams []string `flag:"upstream" cfg:"upstreams"`
@ -43,6 +44,7 @@ func NewOptions() *Options {
HttpAddress: "127.0.0.1:4180", HttpAddress: "127.0.0.1:4180",
DisplayHtpasswdForm: true, DisplayHtpasswdForm: true,
CookieHttpsOnly: true, CookieHttpsOnly: true,
CookieSecure: true,
CookieHttpOnly: true, CookieHttpOnly: true,
CookieExpire: time.Duration(168) * time.Hour, CookieExpire: time.Duration(168) * time.Hour,
PassBasicAuth: true, PassBasicAuth: true,