I want to check out https://github.com/bitly/oauth2_proxy which is a highly-rated OAuth proxy and written in Go. I have at least one private site and want better authentication options.

Oh yeah. In addition to securing sites currently secured by outdated means, getting this working will allow me to create a control site so Sean and Jen can update the webshow site. And they can authenticate with their Twitter accounts.

I wonder if any of the cloud front ends offer OAuth authentication?

Jan 3

  • Installed oauth2_proxy
  • Ran it from my workstation, directed nginx to proxy a site to oauth_proxy
  • Run from a Powershell prompt, thus the backtick line continuation marks. Note that -email-domain has a space instead of an equals sign. It didn’t work for me with the equals sign unless I did =*. I ran oauth2_proxy -h, and on Windows it showed spaces instead of equals, so I tried that and it worked!

      C:\Path\To\oauth2_proxy.exe `
          -client-id="gobbledegook.apps.googleusercontent.com" `
          -client-secret="blahgobbledeygookblah" `
          -http-address="0.0.0.0:80" `
          -upstream=http://192.168.1.110/ `
          -pass-host-header=true `
          -cookie-secret="32 character random string abcde" `
          -email-domain jimnelson.us
    
  • I was already passing X-Real-IP and the host headers in my configuration. I didn’t have to use add_header Strict-Transport-Security max-age=2592000; or pass the X-Scheme header as shown in the repo readme nginx example to make it work.

This is awesome! I’m logged into my Google account most of the time, so this makes restricted access to this site much easier. I had previously been using Wordpress with a privacy plugin. Now I have a static site and this OAuth proxy.

Of course now I need to make this more permanent than running off my workstation….

FROM centos:latest

MAINTAINER jim@midnightfreddie.com

RUN curl -L https://github.com/bitly/oauth2_proxy/releases/download/v2.1/oauth2_proxy-2.1.linux-amd64.go1.6.tar.gz | \
        tar -zxf - -C /opt

EXPOSE 4180

ENTRYPOINT ["/opt/oauth2_proxy-2.1.linux-amd64.go1.6/oauth2_proxy", "-http-address", "0.0.0.0:4180"]