Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks

Browse source
This commit is contained in:
Raito Bezarius 2022-08-05 17:52:21 +02:00
parent 9d3381cafb
commit be6e81ad46
2 changed files with 25 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
machines/core-services-01/keycloak.nix
View file

@ -32,6 +32,13 @@ in
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
# For large authentication-authorization headers
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
'';
}; };
}; };
} }

25
machines/core-services-01/monitoring.nix
View file

@ -115,22 +115,25 @@ in
services.oauth2_proxy = { services.oauth2_proxy = {
enable = true; enable = true;
keyFile = config.age.secrets.oauth2ProxyKeyFile.path; keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
provider = "keycloak"; provider = "keycloak-oidc";
email.domains = [ "*" ]; email.domains = [ "*" ];
cookie = { cookie = {
name = "_oauth2_proxy_ensrz"; name = "_oauth2_proxy_ensrz";
domain = ".rz.ens.wtf"; domain = ".rz.ens.wtf";
}; };
setXauthrequest = true; setXauthrequest = true;
scope = "profile"; scope = "openid";
loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth";
redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token";
profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
reverseProxy = true; reverseProxy = true;
passHostHeader = true; passHostHeader = true;
extraConfig = {
whitelist-domain = [ ".rz.ens.wtf" ];
oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";
# insecure-oidc-allow-unverified-email = true;
show-debug-on-error = true;
};
nginx = { nginx = {
virtualHosts = [ "monitoring.${my.subZone}" ]; virtualHosts = [ "monitoring.${my.subZone}" ];
}; };
@ -143,7 +146,15 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:19999"; locations."/" = {
proxyPass = "http://localhost:19999";
extraConfig = ''
# For large authentication-authorization headers
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
'';
};
}; };
}; };