From 7f5672b433f70478c79fe4f7294a92cb56a0b64b Mon Sep 17 00:00:00 2001
From: Pierce Lopez <pierce.lopez@gmail.com>
Date: Mon, 24 Apr 2017 17:56:15 -0400
Subject: [PATCH 1/2] README: simplify nginx auth_request example

/oauth2/auth is not more sensitive than other /oauth2/ paths,
does not need "internal" protection

"spdy" protocol is obsolete, http2 is the thing to enable now.
But it's orthogonal anyway.

No need for two separate content/upstream location blocks in
this example, reduce to just one, with a comment that it could
be serving files instead of proxying.
---
 README.md | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index be73f36..6ab8de5 100644
--- a/README.md
+++ b/README.md
@@ -350,15 +350,10 @@ The [Nginx `auth_request` directive](http://nginx.org/en/docs/http/ngx_http_auth
 
 ```nginx
 server {
-  listen 443 ssl spdy;
+  listen 443 ssl;
   server_name ...;
   include ssl/ssl.conf;
 
-  location = /oauth2/auth {
-    internal;
-    proxy_pass http://127.0.0.1:4180;
-  }
-
   location /oauth2/ {
     proxy_pass       http://127.0.0.1:4180;
     proxy_set_header Host                    $host;
@@ -367,7 +362,7 @@ server {
     proxy_set_header X-Auth-Request-Redirect $request_uri;
   }
 
-  location /upstream/ {
+  location / {
     auth_request /oauth2/auth;
     error_page 401 = /oauth2/sign_in;
 
@@ -379,13 +374,7 @@ server {
     proxy_set_header X-Email $email;
 
     proxy_pass http://backend/;
-  }
-
-  location / {
-    auth_request /oauth2/auth;
-    error_page 401 = https://example.com/oauth2/sign_in;
-
-    root /path/to/the/site;
+    # or "root /path/to/site;" or "fastcgi_pass ..." etc
   }
 }
 ```

From 6d295f8446b084bbfb81d94ac4058c466df443e9 Mon Sep 17 00:00:00 2001
From: Pierce Lopez <pierce.lopez@gmail.com>
Date: Mon, 24 Apr 2017 17:59:21 -0400
Subject: [PATCH 2/2] README: nginx auth_request example refresh cookie
 handling

how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request
---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 6ab8de5..da0962e 100644
--- a/README.md
+++ b/README.md
@@ -373,6 +373,10 @@ server {
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;
 
+    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $auth_cookie;
+
     proxy_pass http://backend/;
     # or "root /path/to/site;" or "fastcgi_pass ..." etc
   }