Merge pull request #71 from jehiah/cookie_secure_flag_71
Rename flag to set secure (https) cookies
This commit is contained in:
Jehiah Czebotar
commit
d5169f92f7
@ -64,9 +64,11 @@ Usage of google_auth_proxy:
|
|||||||
-config="": path to config file
|
-config="": path to config file
|
||||||
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
||||||
-cookie-expire=168h0m0s: expire timeframe for cookie
|
-cookie-expire=168h0m0s: expire timeframe for cookie
|
||||||
-cookie-httponly=true: set HttpOnly cookie
|
-cookie-httponly=true: set HttpOnly cookie flag
|
||||||
-cookie-https-only=true: set HTTPS only cookie
|
-cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
|
||||||
-cookie-secret="": the seed string for secure cookies
|
-cookie-secret="": the seed string for secure cookies
|
||||||
|
-cookie-secure=true: set secure (HTTPS) cookie flag
|
||||||
|
-custom-templates-dir="": path to custom html templates
|
||||||
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
|
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
|
||||||
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
|
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
|
||||||
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||||
@ -75,7 +77,6 @@ Usage of google_auth_proxy:
|
|||||||
-pass-host-header=true: pass the request Host Header to upstream
|
-pass-host-header=true: pass the request Host Header to upstream
|
||||||
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
|
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
|
||||||
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
|
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
|
||||||
-custom templates-dir="": path to custom html templates
|
|
||||||
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
|
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
|
||||||
-version=false: print version string
|
-version=false: print version string
|
||||||
```
|
```
|
||||||
@ -120,7 +121,7 @@ The command line to run `google_auth_proxy` would look like this:
|
|||||||
--google-apps-domain="yourcompany.com" \
|
--google-apps-domain="yourcompany.com" \
|
||||||
--upstream=http://127.0.0.1:8080/ \
|
--upstream=http://127.0.0.1:8080/ \
|
||||||
--cookie-secret=... \
|
--cookie-secret=... \
|
||||||
--cookie-https-only=true \
|
--cookie-secure=true \
|
||||||
--client-id=... \
|
--client-id=... \
|
||||||
--client-secret=...
|
--client-secret=...
|
||||||
```
|
```
|
||||||
|
|||||||
@ -49,5 +49,5 @@
|
|||||||
# cookie_secret = ""
|
# cookie_secret = ""
|
||||||
# cookie_domain = ""
|
# cookie_domain = ""
|
||||||
# cookie_expire = "168h"
|
# cookie_expire = "168h"
|
||||||
# cookie_https_only = true
|
# cookie_secure = true
|
||||||
# cookie_httponly = true
|
# cookie_httponly = true
|
||||||
|
|||||||
5
main.go
5
main.go
@ -43,8 +43,9 @@ func main() {
|
|||||||
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
|
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
|
||||||
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
||||||
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
||||||
flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")
|
flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
|
||||||
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")
|
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
||||||
|
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
|
||||||
|
|
||||||
flagSet.Parse(os.Args[1:])
|
flagSet.Parse(os.Args[1:])
|
||||||
|
|
||||||
|
|||||||
@ -24,13 +24,13 @@ const oauthStartPath = "/oauth2/start"
|
|||||||
const oauthCallbackPath = "/oauth2/callback"
|
const oauthCallbackPath = "/oauth2/callback"
|
||||||
|
|
||||||
type OauthProxy struct {
|
type OauthProxy struct {
|
||||||
CookieSeed string
|
CookieSeed string
|
||||||
CookieKey string
|
CookieKey string
|
||||||
CookieDomain string
|
CookieDomain string
|
||||||
CookieHttpsOnly bool
|
CookieSecure bool
|
||||||
CookieHttpOnly bool
|
CookieHttpOnly bool
|
||||||
CookieExpire time.Duration
|
CookieExpire time.Duration
|
||||||
Validator func(string) bool
|
Validator func(string) bool
|
||||||
|
|
||||||
redirectUrl *url.URL // the url to receive requests at
|
redirectUrl *url.URL // the url to receive requests at
|
||||||
oauthRedemptionUrl *url.URL // endpoint to redeem the code
|
oauthRedemptionUrl *url.URL // endpoint to redeem the code
|
||||||
@ -98,15 +98,21 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
|||||||
if domain == "" {
|
if domain == "" {
|
||||||
domain = "<default>"
|
domain = "<default>"
|
||||||
}
|
}
|
||||||
log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
|
if !opts.CookieHttpsOnly {
|
||||||
|
log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
|
||||||
|
opts.CookieSecure = opts.CookieHttpsOnly
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
|
||||||
|
|
||||||
return &OauthProxy{
|
return &OauthProxy{
|
||||||
CookieKey: "_oauthproxy",
|
CookieKey: "_oauthproxy",
|
||||||
CookieSeed: opts.CookieSecret,
|
CookieSeed: opts.CookieSecret,
|
||||||
CookieDomain: opts.CookieDomain,
|
CookieDomain: opts.CookieDomain,
|
||||||
CookieHttpsOnly: opts.CookieHttpsOnly,
|
CookieSecure: opts.CookieSecure,
|
||||||
CookieHttpOnly: opts.CookieHttpOnly,
|
CookieHttpOnly: opts.CookieHttpOnly,
|
||||||
CookieExpire: opts.CookieExpire,
|
CookieExpire: opts.CookieExpire,
|
||||||
Validator: validator,
|
Validator: validator,
|
||||||
|
|
||||||
clientID: opts.ClientID,
|
clientID: opts.ClientID,
|
||||||
clientSecret: opts.ClientSecret,
|
clientSecret: opts.ClientSecret,
|
||||||
@ -130,7 +136,7 @@ func (p *OauthProxy) GetRedirectUrl(host string) string {
|
|||||||
var u url.URL
|
var u url.URL
|
||||||
u = *p.redirectUrl
|
u = *p.redirectUrl
|
||||||
if u.Scheme == "" {
|
if u.Scheme == "" {
|
||||||
if p.CookieHttpsOnly {
|
if p.CookieSecure {
|
||||||
u.Scheme = "https"
|
u.Scheme = "https"
|
||||||
} else {
|
} else {
|
||||||
u.Scheme = "http"
|
u.Scheme = "http"
|
||||||
@ -265,7 +271,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
|
|||||||
Path: "/",
|
Path: "/",
|
||||||
Domain: domain,
|
Domain: domain,
|
||||||
HttpOnly: p.CookieHttpOnly,
|
HttpOnly: p.CookieHttpOnly,
|
||||||
Secure: p.CookieHttpsOnly,
|
Secure: p.CookieSecure,
|
||||||
Expires: time.Now().Add(p.CookieExpire),
|
Expires: time.Now().Add(p.CookieExpire),
|
||||||
}
|
}
|
||||||
http.SetCookie(rw, cookie)
|
http.SetCookie(rw, cookie)
|
||||||
|
|||||||
@ -24,7 +24,8 @@ type Options struct {
|
|||||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
|
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
|
||||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
|
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
|
||||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
|
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
|
||||||
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag
|
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
|
||||||
|
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
||||||
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
||||||
|
|
||||||
Upstreams []string `flag:"upstream" cfg:"upstreams"`
|
Upstreams []string `flag:"upstream" cfg:"upstreams"`
|
||||||
@ -43,6 +44,7 @@ func NewOptions() *Options {
|
|||||||
HttpAddress: "127.0.0.1:4180",
|
HttpAddress: "127.0.0.1:4180",
|
||||||
DisplayHtpasswdForm: true,
|
DisplayHtpasswdForm: true,
|
||||||
CookieHttpsOnly: true,
|
CookieHttpsOnly: true,
|
||||||
|
CookieSecure: true,
|
||||||
CookieHttpOnly: true,
|
CookieHttpOnly: true,
|
||||||
CookieExpire: time.Duration(168) * time.Hour,
|
CookieExpire: time.Duration(168) * time.Hour,
|
||||||
PassBasicAuth: true,
|
PassBasicAuth: true,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user