From e23602920f49da01a0cd3d4ac419967735e3ad6b Mon Sep 17 00:00:00 2001 From: Zeev Diukman Date: Fri, 28 Nov 2025 23:08:22 +0200 Subject: [PATCH] 2 --- .gitignore | 1 + caddy/config/Caddyfile | 27 ++++++++++++-- caddy/config/snippets.caddy | 53 +++++++++++++++++++++++----- oauth2-proxy/allowed_emails.txt | 3 +- oauth2-proxy/oauth2-proxy.cfg | 29 ++++++++++++--- oauth2-proxy/oauth2-proxy.cfg-google | 27 ++++++++++++++ z.sh | 13 ++++++- 7 files changed, 136 insertions(+), 17 deletions(-) create mode 100644 .gitignore create mode 100644 oauth2-proxy/oauth2-proxy.cfg-google diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8d3580c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +caddy/config/gateway.code-workspace diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile index e81d450..a23dd8f 100644 --- a/caddy/config/Caddyfile +++ b/caddy/config/Caddyfile @@ -1,5 +1,5 @@ import snippets.caddy -diukman.com { +* { respond "Error" 500 } https://photos.diukman.com { @@ -10,7 +10,6 @@ https://auth.diukman.com { } https://adguard.diukman.com { import protect rp http://192.168.2.8 - # respond "aaaaa" } https://opnsense.diukman.com { import protect rp http://192.168.2.1 @@ -27,3 +26,27 @@ https://wireguard.diukman.com { https://modem.diukman.com { import protect rp http://192.168.1.1 } + +https://diukman.com { + # import protected https://192.168.2.10:8006 "skip_verify" + # import protected http://192.168.2.8 "skip_verify" + # import protected "skip_tls" https://192.168.2.10:8006 + # handle /oauth2/* { + # reverse_proxy oauth2proxy:4180 { + # header_up X-Real-IP {remote_host} + # header_up X-Forwarded-Uri {uri} + # } + # } + # handle { + # forward_auth oauth2proxy:4180 { + # uri /oauth2/auth + # copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + # header_up X-Real-IP {remote_host} + # @error status 401 403 + # handle_response @error { + # redir * /oauth2/sign_in?rd={scheme}://{host}{uri} + # } + # } + # reverse_proxy http://192.168.2.8 + # } +} diff --git a/caddy/config/snippets.caddy b/caddy/config/snippets.caddy index a104278..3965433 100644 --- a/caddy/config/snippets.caddy +++ b/caddy/config/snippets.caddy @@ -8,7 +8,7 @@ (rp) { reverse_proxy {args[0]} } -(auth_path) { +(auth_path_handler) { handle /oauth2/* { reverse_proxy oauth2proxy:4180 { header_up X-Real-IP {remote_host} @@ -16,21 +16,58 @@ } } } + (auth_redirect) { - import auth_path + forward_auth oauth2proxy:4180 { + uri /oauth2/auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + header_up X-Real-IP {remote_host} + @error status 401 403 + handle_response @error { + redir * /oauth2/sign_in?rd={scheme}://{host}{uri} + } + } +} + +(protect) { + import auth_path_handler + handle { + import auth_redirect + import {args[0]} {args[1]} + } +} + +(protected) { + @skip_tls { + expression `"{args[1]}" == "skip_verify"` + } + @no_skip_tls { + expression `"{args[1]}" != "skip_verify"` + } + handle /oauth2/* { + reverse_proxy oauth2proxy:4180 { + header_up X-Real-IP {remote_host} + header_up X-Forwarded-Uri {uri} + } + } handle { forward_auth oauth2proxy:4180 { uri /oauth2/auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email header_up X-Real-IP {remote_host} - @error status 401 + @error status 401 403 handle_response @error { redir * /oauth2/sign_in?rd={scheme}://{host}{uri} } } + + + reverse_proxy @skip_tls {args[0]} { + transport http { + tls_insecure_skip_verify + } + } + reverse_proxy @no_skip_tls {args[0]} + } - import {args[0]} {args[1]} -} -(protect) { - import auth_path - import auth_redirect {args[0]} {args[1]} } \ No newline at end of file diff --git a/oauth2-proxy/allowed_emails.txt b/oauth2-proxy/allowed_emails.txt index 39c5c30..f83f214 100644 --- a/oauth2-proxy/allowed_emails.txt +++ b/oauth2-proxy/allowed_emails.txt @@ -1,2 +1 @@ -zeevdukeman@gmail.com -zeevdukemandev@gmail.com \ No newline at end of file +zeevdukeman@gmail.com \ No newline at end of file diff --git a/oauth2-proxy/oauth2-proxy.cfg b/oauth2-proxy/oauth2-proxy.cfg index 3de1140..73f8df6 100644 --- a/oauth2-proxy/oauth2-proxy.cfg +++ b/oauth2-proxy/oauth2-proxy.cfg @@ -1,17 +1,38 @@ + + + # --- 1. Provider Configuration --- + +## GitHub OAuth2 Configuration +# provider = "github" +# client_id = "Ov23liA8Pj1NqKm5HgqR" +# client_secret = "3b5015ef53b81d94ff9414a55be1252508d70795" +# scope = "user:email" +# email_domains = ["*"] # Allow any email domain (since restriction is handled by github_org) +# github_org = "diukman" # Restrict access to members of this GitHub Organization + +## Google OAuth2 Configuration provider = "google" client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com" client_secret = "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" -cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg=" +scope = "openid profile email" + +# --- 2. OAuth2 Proxy Configuration --- upstreams = "static://200" http_address = "0.0.0.0:4180" redirect_url = "https://auth.diukman.com/oauth2/callback" -scope = "openid profile email" + set_xauthrequest = true -# whitelist_domains = [ ".diukman.com", "diukman.com" ] +# --- 3. Cookie Configuration --- +cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg=" cookie_domains = [ ".diukman.com", "diukman.com" ] cookie_httponly = true cookie_secure = true cookie_samesite = "none" +cookie_expire = "168h" # Cookie expiry time (7 days) + +# --- 5. Email Whitelisting --- authenticated_emails_file = "/etc/allowed_emails.txt" -# email_domains = [ "*" ] \ No newline at end of file +# --- 6. Domain redirection Whitelisting --- +whitelist_domains = ["*.diukman.com", "diukman.com"] +pass_host_header = true # Pass the Host header from the client to the upstream server \ No newline at end of file diff --git a/oauth2-proxy/oauth2-proxy.cfg-google b/oauth2-proxy/oauth2-proxy.cfg-google new file mode 100644 index 0000000..e89c562 --- /dev/null +++ b/oauth2-proxy/oauth2-proxy.cfg-google @@ -0,0 +1,27 @@ +# --- 1. Provider Configuration --- +provider = "google" +client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com" +client_secret = "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" +scope = "openid profile email" + +# provider = "github" +# client_id = "Ov23liA8Pj1NqKm5HgqR" +# client_secret = "3b5015ef53b81d94ff9414a55be1252508d70795" +# scope = "user:email" + +# --- 2. OAuth2 Proxy Configuration --- +upstreams = "static://200" +http_address = "0.0.0.0:4180" +redirect_url = "https://auth.diukman.com/oauth2/callback" + +set_xauthrequest = true +# --- 3. Cookie Configuration --- +cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg=" +cookie_domains = [ ".diukman.com", "diukman.com" ] +cookie_httponly = true +cookie_secure = true +cookie_samesite = "none" +# --- 5. Email Whitelisting --- +authenticated_emails_file = "/etc/allowed_emails.txt" +# --- 6. Domain redirection Whitelisting --- +whitelist_domains = [ "*.diukman.com", "diukman.com" ] \ No newline at end of file diff --git a/z.sh b/z.sh index 76a8dd1..81a21e8 100755 --- a/z.sh +++ b/z.sh @@ -38,6 +38,17 @@ case "${Z_CMD[0]}" in ;; esac ;; + oauth2-proxy | p) + case "${Z_CMD[1]}" in + restart | r) + echo "Restarting oauth2-proxy container..." + docker compose restart oauth2proxy + ;; + *) + Z_FLAG=true + ;; + esac + ;; *) Z_FLAG=true ;; @@ -45,7 +56,7 @@ esac case $Z_FLAG in true) - echo "Usage: $0 caddy [reload|restart|watch]" + echo "Usage: $0 caddy|c | docker|d | oauth2-proxy|p " exit 1 ;; esac \ No newline at end of file