From 7f5672b433f70478c79fe4f7294a92cb56a0b64b Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Mon, 24 Apr 2017 17:56:15 -0400 Subject: [PATCH 1/2] README: simplify nginx auth_request example /oauth2/auth is not more sensitive than other /oauth2/ paths, does not need "internal" protection "spdy" protocol is obsolete, http2 is the thing to enable now. But it's orthogonal anyway. No need for two separate content/upstream location blocks in this example, reduce to just one, with a comment that it could be serving files instead of proxying. --- README.md | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index be73f36..6ab8de5 100644 --- a/README.md +++ b/README.md @@ -350,15 +350,10 @@ The [Nginx `auth_request` directive](http://nginx.org/en/docs/http/ngx_http_auth ```nginx server { - listen 443 ssl spdy; + listen 443 ssl; server_name ...; include ssl/ssl.conf; - location = /oauth2/auth { - internal; - proxy_pass http://127.0.0.1:4180; - } - location /oauth2/ { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; @@ -367,7 +362,7 @@ server { proxy_set_header X-Auth-Request-Redirect $request_uri; } - location /upstream/ { + location / { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in; @@ -379,13 +374,7 @@ server { proxy_set_header X-Email $email; proxy_pass http://backend/; - } - - location / { - auth_request /oauth2/auth; - error_page 401 = https://example.com/oauth2/sign_in; - - root /path/to/the/site; + # or "root /path/to/site;" or "fastcgi_pass ..." etc } } ``` From 6d295f8446b084bbfb81d94ac4058c466df443e9 Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Mon, 24 Apr 2017 17:59:21 -0400 Subject: [PATCH 2/2] README: nginx auth_request example refresh cookie handling how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6ab8de5..da0962e 100644 --- a/README.md +++ b/README.md @@ -373,6 +373,10 @@ server { proxy_set_header X-User $user; proxy_set_header X-Email $email; + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + proxy_pass http://backend/; # or "root /path/to/site;" or "fastcgi_pass ..." etc }