Unverified Commit a9116047 authored by Sandro Jäckel's avatar Sandro Jäckel
Browse files

nixos/oauth2-proxy-nginx: lift auth_request to http block 

With this change now all location blocks are protected by oauth2-proxy
and not only /
parent 38142559

nixos/modules/services/security/oauth2_proxy_nginx.nix

+22 −12
Original line number Diff line number Diff line
@@ -28,7 +28,8 @@ in 
      type = types.listOf types.str;

      default = [];

      description = ''

        A list of nginx virtual hosts to put behind the oauth2 proxy

        A list of nginx virtual hosts to put behind the oauth2 proxy.

        You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.

      '';

    };

  };
@@ -50,18 +51,27 @@ in 
  ] ++ optional (cfg.virtualHosts != []) {

    recommendedProxySettings = true; # needed because duplicate headers

  } ++ (map (vhost: {

    virtualHosts.${vhost}.locations = {

    virtualHosts.${vhost} = {

      locations = {

        "/oauth2/auth" = {

          proxyPass = cfg.proxy;

          extraConfig = ''

            auth_request off;

            proxy_set_header X-Scheme         $scheme;

            # nginx auth_request includes headers but not body

            proxy_set_header Content-Length   "";

            proxy_pass_request_body           off;

          '';

        };

      "@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";

      "/".extraConfig = ''

        "@redirectToAuth2ProxyLogin" = {

          return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";

          extraConfig = ''

            auth_request off;

          '';

        };

      };



      extraConfig = ''

        auth_request /oauth2/auth;

        error_page 401 = @redirectToAuth2ProxyLogin;