From 786a581d2f4218c92c18d228889eca8a55b6912b Mon Sep 17 00:00:00 2001 From: Jannik Kramer Date: Tue, 12 Aug 2025 11:22:18 +0200 Subject: [PATCH] adds pseudo.cortex.consider-funding.de upstream, adds snippet for easy oauth2-proxy protect, moves oauth2-proxy secrets to .env file --- .gitignore | 1 - .../oauth2-proxy/.env.example | 4 ++ .../oauth2-proxy/compose.yaml | 1 + .../oauth2-proxy/oauth2-proxy.cfg | 9 +++++ .../oauth2-proxy/oauth2-proxy.cfg.example | 12 ------ .../reverse-proxy/Caddyfile | 38 +++++++++++++++---- 6 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 docker_compose_applications/oauth2-proxy/.env.example create mode 100644 docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg delete mode 100644 docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg.example diff --git a/.gitignore b/.gitignore index ecc5ec3..a2192f0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ .DS_Store .env -oauth2-proxy.cfg CLAUDE.md GEMINI.md diff --git a/docker_compose_applications/oauth2-proxy/.env.example b/docker_compose_applications/oauth2-proxy/.env.example new file mode 100644 index 0000000..6684bd4 --- /dev/null +++ b/docker_compose_applications/oauth2-proxy/.env.example @@ -0,0 +1,4 @@ +OAUTH2_PROXY_CLIENT_ID = "" +OAUTH2_PROXY_CLIENT_SECRET = "" +OAUTH2_PROXY_COOKIE_SECRET = "" +OAUTH2_PROXY_OIDC_ISSUER_URL = "" diff --git a/docker_compose_applications/oauth2-proxy/compose.yaml b/docker_compose_applications/oauth2-proxy/compose.yaml index 513396a..1310e84 100644 --- a/docker_compose_applications/oauth2-proxy/compose.yaml +++ b/docker_compose_applications/oauth2-proxy/compose.yaml @@ -5,6 +5,7 @@ services: restart: unless-stopped command: - --config=/etc/oauth2-proxy/oauth2-proxy.cfg + env_file: .env volumes: - ./oauth2-proxy.cfg:/etc/oauth2-proxy/oauth2-proxy.cfg:ro networks: diff --git a/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg b/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg new file mode 100644 index 0000000..3772d91 --- /dev/null +++ b/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg @@ -0,0 +1,9 @@ +provider = "entra-id" +upstreams = ["file:///dev/null"] +http_address = "0.0.0.0:4180" +whitelist_domains = [".consider-it.de", ".consider-funding.de"] +cookie_secure = true +email_domains = [ "*" ] +scope = "openid" +skip_provider_button = true +set_xauthrequest = true diff --git a/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg.example b/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg.example deleted file mode 100644 index af54e27..0000000 --- a/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg.example +++ /dev/null @@ -1,12 +0,0 @@ -provider = "entra-id" -oidc_issuer_url = "https://login.microsoftonline.com/xxx-x-x-x-xxxx/v2.0" -client_id = "" -client_secret = "" -cookie_secret = "" -upstreams = [ "http://stirling-pdf:8080" ] -http_address = "0.0.0.0:4180" -redirect_url = "https://pdf.consider-it.de/oauth2/callback" -cookie_secure = true -email_domains = [ "*" ] -scope = "openid" -skip_provider_button = true diff --git a/docker_compose_applications/reverse-proxy/Caddyfile b/docker_compose_applications/reverse-proxy/Caddyfile index 708606c..fc673f7 100644 --- a/docker_compose_applications/reverse-proxy/Caddyfile +++ b/docker_compose_applications/reverse-proxy/Caddyfile @@ -1,13 +1,37 @@ -pdf.consider-it.de { - reverse_proxy oauth2-proxy:4180 +(oauth2_protect) { + handle /oauth2/* { + reverse_proxy oauth2-proxy:4180 + } + + handle { + forward_auth oauth2-proxy:4180 { + uri /oauth2/auth + copy_headers Authorization + + @bad status 4xx + handle_response @bad { + redir https://{args.0}/oauth2/start + } + } + + reverse_proxy {args.1} + } } -metabase.consider-it.de { - reverse_proxy metabase:3000 +pseudo.cortex.consider-funding.de { + import oauth2_protect pseudo.cortex.consider-funding.de http://10.20.0.2:5000 +} + +pdf.consider-it.de { + import oauth2_protect pdf.consider-it.de http://stirling-pdf:8080 } n8n.consider-funding.de { - reverse_proxy n8n:5678 { - flush_interval -1 - } + reverse_proxy n8n:5678 { + flush_interval -1 + } +} + +metabase.consider-it.de { + reverse_proxy metabase:3000 }