diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index fbb023f1b..5d87e3633 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -663,12 +663,13 @@ stream { {{ end }} {{ if not (empty $location.ExternalAuth.Method) }} proxy_method {{ $location.ExternalAuth.Method }}; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Scheme $pass_access_scheme; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Scheme $pass_access_scheme; {{ end }} proxy_pass_request_headers on; - proxy_set_header Host {{ $location.ExternalAuth.Host }}; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header Host {{ $location.ExternalAuth.Host }}; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Auth-Request-Redirect $request_uri; proxy_ssl_server_name on; client_max_body_size "{{ $location.Proxy.BodySize }}"; @@ -712,9 +713,9 @@ stream { {{ if not (empty $authPath) }} # this location requires authentication - auth_request {{ $authPath }}; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; + auth_request {{ $authPath }}; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; {{- range $idx, $line := buildAuthResponseHeaders $location }} {{ $line }} {{- end }} @@ -780,9 +781,6 @@ stream { proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; - {{/* This header is used for external authentication */}} - proxy_set_header X-Auth-Request-Redirect $request_uri; - # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; diff --git a/examples/external-auth/nginx/dashboard-ingress.yaml b/examples/external-auth/nginx/dashboard-ingress.yaml index 642e38f5b..ea3db40b2 100644 --- a/examples/external-auth/nginx/dashboard-ingress.yaml +++ b/examples/external-auth/nginx/dashboard-ingress.yaml @@ -8,7 +8,7 @@ metadata: namespace: kube-system spec: rules: - - host: __INGRESS_HOST__ + - host: dashboard.uswest2-01.rocket-science.io http: paths: - backend: @@ -25,7 +25,7 @@ metadata: namespace: kube-system spec: rules: - - host: __INGRESS_HOST__ + - host: dashboard.uswest2-01.rocket-science.io http: paths: - backend: @@ -34,5 +34,5 @@ spec: path: /oauth2 tls: - hosts: - - __INGRESS_HOST__ - secretName: __INGRESS_SECRET__ + - dashboard.uswest2-01.rocket-science.io + secretName: dashboard-rocket-science.io diff --git a/examples/external-auth/nginx/oauth2-proxy.yaml b/examples/external-auth/nginx/oauth2-proxy.yaml index 1735f4690..02d07db57 100644 --- a/examples/external-auth/nginx/oauth2-proxy.yaml +++ b/examples/external-auth/nginx/oauth2-proxy.yaml @@ -25,13 +25,13 @@ spec: # https://github.com/settings/applications/new env: - name: OAUTH2_PROXY_CLIENT_ID - value: + value: b609d40bdedf145d832e - name: OAUTH2_PROXY_CLIENT_SECRET - value: + value: cc2a10e004624aae225b4d5edd5574dea7944395 # python -c 'import os,base64; print base64.b64encode(os.urandom(16))' - name: OAUTH2_PROXY_COOKIE_SECRET - value: SECRET - image: docker.io/colemickens/oauth2_proxy:latest + value: F6HNMR7IiGzwAYSAHV+9OQ== + image: skippy/docker-oauth2_proxy:2.0.1 imagePullPolicy: Always name: oauth2-proxy ports: @@ -46,6 +46,7 @@ metadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy + namespace: kube-system spec: ports: - name: http