Commit Graph

98 Commits

Author SHA1 Message Date
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Joel Speed
25154ede41
Update changelog ready for release v6.0.0 2020-06-27 12:10:27 +01:00
Evgeni Gordeev
88a8a70537 update k8s manifest 2020-06-19 22:33:40 -05:00
Evgeni Gordeev
8bec67beb7 code review comments 2020-06-19 22:27:36 -05:00
Evgeni Gordeev
84360114e2 polish 2020-06-17 19:18:52 -05:00
Evgeni Gordeev
fa7855a99d get rid of test-connection pods for hello-world and httpbin 2020-06-16 16:59:56 -05:00
Evgeni Gordeev
c85e5297b5 * some polish 2020-06-16 16:47:10 -05:00
Evgeni Gordeev
11c033e2c8 * move httpbin and hello-world charts outside.
* expose kind to 443 port
* make helm optional
* rename folder to kubernetes
2020-06-16 16:39:11 -05:00
Evgeni Gordeev
9a495e996b Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-16 16:38:01 -05:00
Evgeni Gordeev
43f214ce8b
Add Keycloak local testing environment (#604)
* Adding one more example - keycloak - alongside with dex IDP.

* don't expose keycloak and proxy ports to the host

* specify email-domain list option in documentation

* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390

* get rid of the scripts - use static file for keycloak startup

* changelog entry

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-14 14:06:12 +01:00
Evgeni Gordeev
dbf1b451d9 polish 2020-06-12 13:15:43 -05:00
Evgeni Gordeev
0f343cf0ad helm kubernetes example based on kind cluster 2020-06-12 13:12:59 -05:00
Yoshiki Nakagawa
d8d43bb51b
Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
Joel Speed
810a9e9967
Rename cookie-domain config to cookie-domains (#559)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-24 20:19:56 +01:00
Isabelle COWAN-BERGMAN
fc11d8d508
Updated autocompletion for -- long options. (#569)
* Updated autocompletion for `--` long options.

* Added CHANGELOG.md entry.
2020-05-24 17:12:28 +01:00
Isabelle COWAN-BERGMAN
111d17efde
Implements --real-client-ip-header option. (#503)
* Implements -real-client-ip-header option.

* The -real-client-ip-header determines what HTTP header is used for
  determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
  X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
  polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
  header.

* Corrected order of expected/actual in test cases

* Improved error message in getRemoteIP

* Add tests for getRemoteIP and getClientString

* Add comment explaining splitting of header

* Update documentation on -real-client-ip-header w/o -reverse-proxy

* Add PR number in changelog.

* Fix typo repeated word: "it"

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update extended configuration language

* Simplify the language around dependance on -reverse-proxy

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Added completions

* Reorder real client IP header options

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-12 18:41:25 +01:00
Joel Speed
afef9c7588
Add nginx test environment to demonstrate protecting multiple subdomains 2020-05-12 16:06:17 +01:00
Joel Speed
0ccfc73ab2
Add test environment docker-compose files 2020-05-12 16:06:16 +01:00
John Clayton
7cf685140b
Restrict access using Github collaborators (#497)
* Allow access based on Github repository
2020-05-11 18:02:40 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Martin Campbell
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
Joel Speed
17d9961cb9
Merge branch 'master' into pgroudas/add-samesite-cookie-options 2020-01-20 19:21:51 +00:00
Kamal Nasser
eee4b55e0f DigitalOcean Auth Provider (#351)
* DigitalOcean provider

* documentation: digitalocean provider

* changelog: digitalocean provider

* codeowners: digitalocean provider
2020-01-15 11:09:34 +00:00
Paul Groudas
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
Kimball Leavitt
2a07983a36 Add bash completion script (#307)
* added bash completion script

* added install instructions for bash completion
2019-11-05 18:39:10 -08:00
benbro
60bb8fc7ea
Fix repo link 2019-06-01 05:36:28 +03:00
MisterWil
8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Jehiah Czebotar
dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Omar Elazhary
24f91a0b60 Allow to pass user headers only (issue #205)
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
Christian Svensson
d579db4a2d Remove superfluous quotes from config path
Using -config="path" will make the application try to open paths with the quotes included which is not what is expected.
2016-05-15 23:22:39 +02:00
Srdjan Grubor
b14be4974f Added SystemD example service file
Since most people want to run this as a service, having some sort of an
example file is very useful to have.
2016-02-12 13:22:33 -06:00
Jehiah Czebotar
e9b5631eed cookie refresh: validation fixes, interval changes
* refresh now calculated as duration from cookie set
2015-06-23 07:51:00 -04:00
Jehiah Czebotar
d78aa13464 v2.0 & cleanup changes
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
2015-06-12 13:07:26 -04:00
Jehiah Czebotar
f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar
56d19b1c84 disable email validation; rename email-domain argument
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
2015-06-06 14:37:54 -04:00
tonymeng
c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar
c6946893e0 example config updates 2015-05-26 09:18:03 -04:00
Peter Idah
68618a9107 rename example file which is referenced in the README 2015-05-26 12:00:27 +01:00
Mike Bland
082b7c0ec8 Set cookie-refresh flag = 0; update README, config 2015-05-09 17:36:17 -04:00
Jehiah Czebotar
b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar
de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar
ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar
2b2324e410 support (optional) custom templates 2015-03-17 18:11:58 -04:00
Jehiah Czebotar
263e16eeea add --proxy-host-header option 2015-03-17 15:53:01 -04:00
Tom Taylor
132e3d91d6 Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 16:00:49 +00:00
Jehiah Czebotar
1fa1494e0e fix default in config to match 2014-11-09 23:45:59 -05:00
Jehiah Czebotar
d4fe9a4f57 Add config file support 2014-11-09 20:33:12 -05:00