support TLS directly

This commit is contained in:
Jehiah Czebotar 2015-06-07 21:51:47 -04:00
parent 5a5d6dff7e
commit f5b2b20f67
6 changed files with 167 additions and 44 deletions

View File

@ -9,18 +9,18 @@ to validate accounts by email, domain or group.
[![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy) [![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy)
![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png) ![Sign In Page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)
## Architecture ## Architecture
![oauth2_proxy_arch](https://cloud.githubusercontent.com/assets/45028/7749664/35fef390-ff9d-11e4-8d51-21a7ba78f857.png) ![OAuth2 Proxy Architecture](https://cloud.githubusercontent.com/assets/45028/8027702/bd040b7a-0d6a-11e5-85b9-f8d953d04f39.png)
## Installation ## Installation
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v1.1.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin` 1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v1.1.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
2. Register an OAuth Application with a Provider 2. Select a Provider and Register an OAuth Application with a Provider
3. Configure Oauth2 Proxy using config file, command line options, or environment variables 3. Configure OAuth2 Proxy using config file, command line options, or environment variables
4. Deploy behind a SSL endpoint (example provided for Nginx) 4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
## OAuth Provider Configuration ## OAuth Provider Configuration
@ -76,6 +76,10 @@ For LinkedIn, the registration steps are:
The [MyUSA](https://alpha.my.usa.gov) authentication service ([GitHub](https://github.com/18F/myusa)) The [MyUSA](https://alpha.my.usa.gov) authentication service ([GitHub](https://github.com/18F/myusa))
## Email Authentication
To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresse use `--email-domain=*`.
## Configuration ## Configuration
`oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables). `oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
@ -107,18 +111,21 @@ Usage of oauth2_proxy:
-github-team="": restrict logins to members of this team -github-team="": restrict logins to members of this team
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients -http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
-https-address=":443": <addr>:<port> to listen on for HTTPS clients
-login-url="": Authentication endpoint -login-url="": Authentication endpoint
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
-pass-host-header=true: pass the request Host Header to upstream -pass-host-header=true: pass the request Host Header to upstream
-profile-url="": Profile access endpoint -profile-url="": Profile access endpoint
-provider="": Oauth provider (defaults to Google) -provider="google": OAuth provider
-proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) -proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)
-redeem-url="": Token redemption endpoint -redeem-url="": Token redemption endpoint
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-request-logging=true: Log requests to stdout -request-logging=true: Log requests to stdout
-scope="": Oauth scope specification -scope="": Oauth scope specification
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times) -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-tls-cert="": path to certificate file
-tls-key="": path to private key file
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-validate-url="": Access token validation endpoint -validate-url="": Access token validation endpoint
-version=false: print version string -version=false: print version string
@ -130,10 +137,32 @@ See below for provider specific options
The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments. The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
### Example Nginx Configuration ## SSL Configuration
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `oauth2_proxy` on port `4180`. There are two recommended configurations.
`oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external
1) Configure SSL Terminiation with OAuth2 Proxy by providing a `--tls-cert=/path/to/cert.pem` and `--tls-key=/path/to/cert.key`.
The command line to run `oauth2_proxy` in this configuration would look like this:
```bash
./oauth2_proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--tls-cert=/path/to/cert.pem \
--tls-key=/path/to/cert.key \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--client-id=... \
--client-secret=...
```
2) Configure SSL Termination with [Nginx](http://nginx.org/) (example config below) or Amazon ELB, or ....
Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`.
`oauth2_proxy` which will then authenticate requests for an upstream application. The external
endpoint for this example would be `https://internal.yourcompany.com/`. endpoint for this example would be `https://internal.yourcompany.com/`.
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
@ -159,7 +188,7 @@ server {
} }
``` ```
The command line to run `oauth2_proxy` would look like this: The command line to run `oauth2_proxy` in this configuration would look like this:
```bash ```bash
./oauth2_proxy \ ./oauth2_proxy \
@ -167,6 +196,7 @@ The command line to run `oauth2_proxy` would look like this:
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
--cookie-secure=true \ --cookie-secure=true \
--provider=... \
--client-id=... \ --client-id=... \
--client-secret=... --client-secret=...
``` ```
@ -174,7 +204,7 @@ The command line to run `oauth2_proxy` would look like this:
## Endpoint Documentation ## Endpoint Documentation
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info * /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
* /ping - returns an 200 OK response * /ping - returns an 200 OK response

View File

@ -1,8 +1,13 @@
## OAuth2 Proxy Config File ## OAuth2 Proxy Config File
## https://github.com/bitly/oauth2_proxy ## https://github.com/bitly/oauth2_proxy
## <addr>:<port> to listen on for HTTP clients ## <addr>:<port> to listen on for HTTP/HTTPS clients
# http_address = "127.0.0.1:4180" # http_address = "127.0.0.1:4180"
# https_address = ":443"
## TLS Settings
# tls_cert_file = ""
# tls_key_file = ""
## the OAuth Redirect URL. ## the OAuth Redirect URL.
# defaults to the "https://" + requested host header + "/oauth2/callback" # defaults to the "https://" + requested host header + "/oauth2/callback"

106
http.go Normal file
View File

@ -0,0 +1,106 @@
package main
import (
"crypto/tls"
"log"
"net"
"net/http"
"net/url"
"strings"
"time"
)
type Server struct {
Handler http.Handler
Opts *Options
}
func (s *Server) ListenAndServe() {
if s.Opts.TLSKeyFile != "" || s.Opts.TLSCertFile != "" {
s.ServeHTTPS()
} else {
s.ServeHTTP()
}
}
func (s *Server) ServeHTTP() {
u, err := url.Parse(s.Opts.HttpAddress)
if err != nil {
log.Fatalf("FATAL: could not parse %#v: %v", s.Opts.HttpAddress, err)
}
var networkType string
switch u.Scheme {
case "", "http":
networkType = "tcp"
default:
networkType = u.Scheme
}
listenAddr := strings.TrimPrefix(u.String(), u.Scheme+"://")
listener, err := net.Listen(networkType, listenAddr)
if err != nil {
log.Fatalf("FATAL: listen (%s, %s) failed - %s", networkType, listenAddr, err)
}
log.Printf("HTTP: listening on %s", listenAddr)
server := &http.Server{Handler: s.Handler}
err = server.Serve(listener)
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
log.Printf("ERROR: http.Serve() - %s", err)
}
log.Printf("HTTP: closing %s", listener.Addr())
}
func (s *Server) ServeHTTPS() {
addr := s.Opts.HttpsAddress
config := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
}
if config.NextProtos == nil {
config.NextProtos = []string{"http/1.1"}
}
var err error
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
if err != nil {
log.Fatalf("FATAL: loading tls config (%s, %s) failed - %s", s.Opts.TLSCertFile, s.Opts.TLSKeyFile, err)
}
ln, err := net.Listen("tcp", addr)
if err != nil {
log.Fatalf("FATAL: listen (%s) failed - %s", addr, err)
}
log.Printf("HTTPS: listening on %s", ln.Addr())
tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
srv := &http.Server{Handler: s.Handler}
err = srv.Serve(tlsListener)
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
log.Printf("ERROR: https.Serve() - %s", err)
}
log.Printf("HTTPS: closing %s", tlsListener.Addr())
}
// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
// connections. It's used by ListenAndServe and ListenAndServeTLS so
// dead TCP connections (e.g. closing laptop mid-download) eventually
// go away.
type tcpKeepAliveListener struct {
*net.TCPListener
}
func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
tc, err := ln.AcceptTCP()
if err != nil {
return
}
tc.SetKeepAlive(true)
tc.SetKeepAlivePeriod(3 * time.Minute)
return tc, nil
}

38
main.go
View File

@ -4,9 +4,6 @@ import (
"flag" "flag"
"fmt" "fmt"
"log" "log"
"net"
"net/http"
"net/url"
"os" "os"
"runtime" "runtime"
"strings" "strings"
@ -28,6 +25,9 @@ func main() {
showVersion := flagSet.Bool("version", false, "print version string") showVersion := flagSet.Bool("version", false, "print version string")
flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients") flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
flagSet.String("tls-cert", "", "path to certificate file")
flagSet.String("tls-key", "", "path to private key file")
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path") flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path")
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream") flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
@ -57,7 +57,7 @@ func main() {
flagSet.Bool("request-logging", true, "Log requests to stdout") flagSet.Bool("request-logging", true, "Log requests to stdout")
flagSet.String("provider", "", "Oauth provider (defaults to Google)") flagSet.String("provider", "google", "OAuth provider")
flagSet.String("login-url", "", "Authentication endpoint") flagSet.String("login-url", "", "Authentication endpoint")
flagSet.String("redeem-url", "", "Token redemption endpoint") flagSet.String("redeem-url", "", "Token redemption endpoint")
flagSet.String("profile-url", "", "Profile access endpoint") flagSet.String("profile-url", "", "Profile access endpoint")
@ -109,31 +109,9 @@ func main() {
} }
} }
u, err := url.Parse(opts.HttpAddress) s := &Server{
if err != nil { Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging),
log.Fatalf("FATAL: could not parse %#v: %v", opts.HttpAddress, err) Opts: opts,
} }
s.ListenAndServe()
var networkType string
switch u.Scheme {
case "", "http":
networkType = "tcp"
default:
networkType = u.Scheme
}
listenAddr := strings.TrimPrefix(u.String(), u.Scheme+"://")
listener, err := net.Listen(networkType, listenAddr)
if err != nil {
log.Fatalf("FATAL: listen (%s, %s) failed - %s", networkType, listenAddr, err)
}
log.Printf("listening on %s", listenAddr)
server := &http.Server{Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging)}
err = server.Serve(listener)
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
log.Printf("ERROR: http.Serve() - %s", err)
}
log.Printf("HTTP: closing %s", listener.Addr())
} }

View File

@ -104,7 +104,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
redirectUrl := opts.redirectUrl redirectUrl := opts.redirectUrl
redirectUrl.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix) redirectUrl.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
log.Printf("OauthProxy configured for %s", opts.ClientID) log.Printf("OauthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
domain := opts.CookieDomain domain := opts.CookieDomain
if domain == "" { if domain == "" {
domain = "<default>" domain = "<default>"
@ -114,7 +114,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
opts.CookieSecure = opts.CookieHttpsOnly opts.CookieSecure = opts.CookieHttpsOnly
} }
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain) log.Printf("Cookie settings: name:%s secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieKey, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
var aes_cipher cipher.Block var aes_cipher cipher.Block
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) { if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {

View File

@ -14,9 +14,12 @@ import (
type Options struct { type Options struct {
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix"` ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix"`
HttpAddress string `flag:"http-address" cfg:"http_address"` HttpAddress string `flag:"http-address" cfg:"http_address"`
HttpsAddress string `flag:"https-address" cfg:"https_address"`
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"` RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"` ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"` ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
TLSCertFile string `flag:"tls-cert" cfg:"tls_cert_file"`
TLSKeyFile string `flag:"tls-key" cfg:"tls_key_file"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"` EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
@ -63,6 +66,7 @@ func NewOptions() *Options {
return &Options{ return &Options{
ProxyPrefix: "/oauth2", ProxyPrefix: "/oauth2",
HttpAddress: "127.0.0.1:4180", HttpAddress: "127.0.0.1:4180",
HttpsAddress: ":443",
DisplayHtpasswdForm: true, DisplayHtpasswdForm: true,
CookieKey: "_oauthproxy", CookieKey: "_oauthproxy",
CookieHttpsOnly: true, CookieHttpsOnly: true,