2,2.1,latest(Dockerfile)
This repository holds a build definition and supporting files for building a Docker image to run oauth2_proxy.
It is published as automated build machine-data/oauth2_proxy on Docker Hub.
oauth2_proxy is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
Not quite:
- Based on the official Alpine Linux image - super slim and lightweight.
- No magic. Straight config that follows upstream. Simple and clean configuration via environment variables or config file.
- Image follows Dockerfile best practices (dropping root privileges, PID1 for proper signalling, logging,...)
To be able to start oauth2_proxy you need to configure an OAuth Provider first. Instructions for Google and others are found on the oauth2_proxy website. Note your client-id and client-secret.
In the minimal configuration you also need to specify the upstream you are protecting.
$ docker run -d -p 4180:4180 \
-e OAUTH2_PROXY_CLIENT_ID=... \
-e OAUTH2_PROXY_CLIENT_SECRET=... \
-e OAUTH2_PROXY_UPSTREAM=... \
machine-data/oauth2_proxyIt is very easy to configure oauth2_proxy via environment variables. If no config file is present, the docker-entrypoint.sh script will create one based on the passed environment variables.
-
OAUTH2_PROXY_CLIENT_ID: the OAuth Client ID: ie: "123456.apps.googleusercontent.com" -
OAUTH2_PROXY_CLIENT_SECRET: the OAuth Client Secret -
OAUTH2_PROXY_COOKIE_SECRET: the seed string for secure cookies. To generate a strong cookie secret just runpython -c 'import os,base64; print base64.b64encode(os.urandom(18))'. -
OAUTH2_PROXY_EMAIL_DOMAIN: authenticate emails with the specified domain (may be given multiple times). The default is "*" and will authenticate any email. -
OAUTH2_PROXY_UPSTREAM: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
You can pass any variable that is specified on the command line options documentation.
OAUTH2_PROXY_APPROVAL_PROMPTOAUTH2_PROXY_AUTHENTICATED_EMAILS_FILEOAUTH2_PROXY_AZURE_TENANTOAUTH2_PROXY_BASIC_AUTH_PASSWORDOAUTH2_PROXY_CONFIGOAUTH2_PROXY_COOKIE_DOMAINOAUTH2_PROXY_COOKIE_EXPIREOAUTH2_PROXY_COOKIE_HTTPONLYOAUTH2_PROXY_COOKIE_NAMEOAUTH2_PROXY_COOKIE_REFRESHOAUTH2_PROXY_COOKIE_SECUREOAUTH2_PROXY_CUSTOM_TEMPLATES_DIROAUTH2_PROXY_DISPLAY_HTPASSWD_FORMOAUTH2_PROXY_GITHUB_ORGOAUTH2_PROXY_GITHUB_TEAMOAUTH2_PROXY_GOOGLE_ADMIN_EMAILOAUTH2_PROXY_GOOGLE_GROUPOAUTH2_PROXY_GOOGLE_SERVICE_ACCOUNT_JSONOAUTH2_PROXY_HTPASSWD_FILEOAUTH2_PROXY_HTTP_ADDRESSOAUTH2_PROXY_HTTPS_ADDRESSOAUTH2_PROXY_LOGIN_URLOAUTH2_PROXY_PASS_ACCESS_TOKENOAUTH2_PROXY_PASS_BASIC_AUTHOAUTH2_PROXY_PASS_HOST_HEADEROAUTH2_PROXY_PROFILE_URLOAUTH2_PROXY_PROVIDEROAUTH2_PROXY_PROXY_PREFIXOAUTH2_PROXY_REDEEM_URLOAUTH2_PROXY_REDIRECT_URLOAUTH2_PROXY_RESOURCEOAUTH2_PROXY_REQUEST_LOGGINGOAUTH2_PROXY_SCOPEOAUTH2_PROXY_SIGNATURE_KEYOAUTH2_PROXY_SKIP_AUTH_REGEXOAUTH2_PROXY_SKIP_PROVIDER_BUTTONOAUTH2_PROXY_TLS_CERTOAUTH2_PROXY_TLS_KEYOAUTH2_PROXY_VALIDATE_URL
The container is configured to start oauth2_proxy with /config/oauth2_proxy.cfg as config file.
If a config file is mounted (preferably read-only), the OAUTH2_PROXY_ environment variables will be ignored. Use the example config to start:
$ curl -O https://raw.githubusercontent.com/bitly/oauth2_proxy/master/contrib/oauth2_proxy.cfg.example
$ mv oauth2_proxy.cfg.example oauth2_proxy.cfg
$ sed -i -e "s/# http_address = .*/http_address = \"0.0.0.0:4180\"/" oauth2_proxy.cfg.example
$ docker run -d \
-v $(pwd)/oauth2_proxy.cfg.example:/config/oauth2_proxy.cfg:ro \
-p 4180:4180 machine-data/oauth2_proxy/templates: Path to place custom templatessign_in.htmlanderror.html. You also need to setcustom-templates-dirvia config file or theOAUTH2_PROXY_CUSTOM_TEMPLATES_DIRenvironment variable.
4180: The default port where oauth2_proxy is listening. Can be changed viahttp-address(and/orhttps_address) setting and correspondingOAUTH2_PROXY_environment variable.
oauth2_proxy is a creation of bitly and was renamed from Google Auth Proxy in May 2015. It is licensed under the MIT license.
docker-oauth2_proxy is licensed under the Apache 2.0 license, was created by Jodok Batlogg. Copyright 2016 Crate.io, Inc..
Thanks for considering contributing to docker-oauth2_proxy! The easiest way to contribute is either by filing an issue on Github or to fork the repository to create a pull request.
If you have any questions don't hesitate to join us on Slack.