monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks

2022-08-05 17:52:21 +02:00 · 2022-08-05 17:52:21 +02:00 · be6e81ad46
commit be6e81ad46
parent 9d3381cafb
2 changed files with 25 additions and 7 deletions
--- a/machines/core-services-01/keycloak.nix
+++ b/machines/core-services-01/keycloak.nix
@ -32,6 +32,13 @@ in
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
+
+      extraConfig = ''
+        # For large authentication-authorization headers
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+      '';
    };
  };
 }
--- a/machines/core-services-01/monitoring.nix
+++ b/machines/core-services-01/monitoring.nix
@ -115,22 +115,25 @@ in
  services.oauth2_proxy = {
    enable = true;
    keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
-    provider = "keycloak";
+    provider = "keycloak-oidc";
    email.domains = [ "*" ];
    cookie = {
      name = "_oauth2_proxy_ensrz";
      domain = ".rz.ens.wtf";
    };
    setXauthrequest = true;
-    scope = "profile";
-    loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth";
-    redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token";
-    profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
-    validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
+    scope = "openid";
    redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
    reverseProxy = true;
    passHostHeader = true;

+    extraConfig = {
+      whitelist-domain = [ ".rz.ens.wtf" ];
+      oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";
+      # insecure-oidc-allow-unverified-email = true;
+      show-debug-on-error = true;
+    };
+
    nginx = {
      virtualHosts = [ "monitoring.${my.subZone}" ];
    };
@ -143,7 +146,15 @@ in
      enableACME = true;
      forceSSL = true;

-      locations."/".proxyPass = "http://localhost:19999";
+      locations."/" = {
+        proxyPass = "http://localhost:19999";
+        extraConfig = ''
+          # For large authentication-authorization headers
+          proxy_buffer_size          256k;
+          proxy_buffers              4 512k;
+          proxy_busy_buffers_size    512k;
+        '';
+      };
    };
  };