From dcf62d06df186058a5b0e9f7be7dda492007b6a8 Mon Sep 17 00:00:00 2001 From: Jehiah Czebotar Date: Wed, 29 Mar 2017 10:57:07 -0400 Subject: [PATCH] option for skipping OAuth provider SSL verification --- README.md | 1 + contrib/oauth2_proxy.cfg.example | 4 ++++ main.go | 1 + options.go | 26 +++++++++++++++++--------- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index eb7ffb4..fd4ee71 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,7 @@ Usage of oauth2_proxy: -signature-key="": GAP-Signature request signature key (algorithm:secretkey) -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times) -skip-provider-button=false: will skip sign-in-page to directly reach the next step: oauth/start + -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS -tls-cert="": path to certificate file -tls-key="": path to private key file -upstream=: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path diff --git a/contrib/oauth2_proxy.cfg.example b/contrib/oauth2_proxy.cfg.example index 0285fbf..4ea2482 100644 --- a/contrib/oauth2_proxy.cfg.example +++ b/contrib/oauth2_proxy.cfg.example @@ -54,6 +54,10 @@ ## optional directory with custom sign_in.html and error.html # custom_templates_dir = "" +## skip SSL checking for HTTPS requests +# ssl_insecure_skip_verify = false + + ## Cookie Settings ## Name - the cookie name ## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes diff --git a/main.go b/main.go index d7c53b0..bf1bba8 100644 --- a/main.go +++ b/main.go @@ -38,6 +38,7 @@ func main() { flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)") flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start") + flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS") flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email") flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") diff --git a/options.go b/options.go index 2beebbd..e8f242a 100644 --- a/options.go +++ b/options.go @@ -2,6 +2,7 @@ package main import ( "crypto" + "crypto/tls" "encoding/base64" "fmt" "net/http" @@ -47,14 +48,15 @@ type Options struct { CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` - Upstreams []string `flag:"upstream" cfg:"upstreams"` - SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"` - PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"` - BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"` - PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"` - PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"` - SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"` - PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"` + Upstreams []string `flag:"upstream" cfg:"upstreams"` + SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"` + PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"` + BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"` + PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"` + PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"` + SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"` + PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"` + SSLInsecureSkipVerify bool `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"` // These options allow for other providers besides Google, with // potential overrides. @@ -99,7 +101,6 @@ func NewOptions() *Options { PassUserHeaders: true, PassAccessToken: false, PassHostHeader: true, - SkipProviderButton: false, ApprovalPrompt: "force", RequestLogging: true, } @@ -205,6 +206,13 @@ func (o *Options) Validate() error { msgs = parseSignatureKey(o, msgs) msgs = validateCookieName(o, msgs) + if o.SSLInsecureSkipVerify { + insecureTransport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + http.DefaultClient = &http.Client{Transport: insecureTransport} + } + if len(msgs) != 0 { return fmt.Errorf("Invalid configuration:\n %s", strings.Join(msgs, "\n "))