Ci-dessous, les différences entre deux révisions de la page.
— |
si:lufim [2021/02/22 09:42] (Version actuelle) dino créée |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | COnfig vhost pour lufim en SSO via oauth2proxy | ||
+ | |||
+ | <code> | ||
+ | location / { | ||
+ | proxy_pass http://192.168.1.84:8080; | ||
+ | # Really important! Lufi uses WebSocket, it won't work without this | ||
+ | proxy_set_header Upgrade $http_upgrade; | ||
+ | proxy_set_header Connection "upgrade"; | ||
+ | |||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Host $host; | ||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | |||
+ | # If you want to log the remote port of the file senders, you'll need that | ||
+ | proxy_set_header X-Remote-Port $remote_port; | ||
+ | |||
+ | proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | |||
+ | # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. | ||
+ | proxy_redirect off; | ||
+ | |||
+ | } | ||
+ | </code> | ||
+ | |||
+ | et pour la partie accueil qui est authentifier le même vhost que lstu avec juste | ||
+ | <code> | ||
+ | location = / { | ||
+ | auth_request /oauth2/auth; | ||
+ | error_page 401 = /oauth2/sign_in; | ||
+ | # # pass information via X-User and X-Email headers to backend, | ||
+ | # # requires running with --set-xauthrequest flag | ||
+ | auth_request_set $user $upstream_http_x_auth_request_user; | ||
+ | auth_request_set $email $upstream_http_x_auth_request_email; | ||
+ | proxy_set_header X-User $user; | ||
+ | proxy_set_header X-Email $email; | ||
+ | |||
+ | # if you enabled --pass-access-token, this will pass the token to the backend | ||
+ | auth_request_set $token $upstream_http_x_auth_request_access_token; | ||
+ | proxy_set_header X-Access-Token $token; | ||
+ | |||
+ | # if you enabled --cookie-refresh, this is needed for it to work with auth_request | ||
+ | auth_request_set $auth_cookie $upstream_http_set_cookie; | ||
+ | add_header Set-Cookie $auth_cookie; | ||
+ | |||
+ | # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb | ||
+ | # limit and so the OAuth2 Proxy splits these into multiple parts. | ||
+ | # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, | ||
+ | # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. | ||
+ | auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; | ||
+ | |||
+ | # Extract the Cookie attributes from the first Set-Cookie header and append them | ||
+ | # to the second part ($upstream_cookie_* variables only contain the raw cookie content) | ||
+ | if ($auth_cookie ~* "(; .*)") { | ||
+ | set $auth_cookie_name_0 $auth_cookie; | ||
+ | set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; | ||
+ | } | ||
+ | |||
+ | # Send both Set-Cookie headers now if there was a second part | ||
+ | if ($auth_cookie_name_upstream_1) { | ||
+ | add_header Set-Cookie $auth_cookie_name_0; | ||
+ | add_header Set-Cookie $auth_cookie_name_1; | ||
+ | } | ||
+ | |||
+ | # HTTPS only header, improves security | ||
+ | #add_header Strict-Transport-Security "max-age=15768000"; | ||
+ | |||
+ | # Adapt this to your configuration (port, subdirectory (see below)) | ||
+ | proxy_pass http://192.168.1.84:8080; | ||
+ | |||
+ | # Really important! Lufi uses WebSocket, it won't work without this | ||
+ | proxy_set_header Upgrade $http_upgrade; | ||
+ | proxy_set_header Connection "upgrade"; | ||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Host $host; | ||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | |||
+ | # If you want to log the remote port of the file senders, you'll need that | ||
+ | proxy_set_header X-Remote-Port $remote_port; | ||
+ | proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | |||
+ | # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. | ||
+ | proxy_redirect off; | ||
+ | } | ||
+ | |||
+ | </code> | ||