Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Naming Is Hard - project name change #85

Merged
merged 1 commit into from
May 21, 2015
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
google_auth_proxy
oauth2_proxy
# Go.gitignore
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
Expand Down
58 changes: 30 additions & 28 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,39 +1,40 @@
google_auth_proxy
oaut2_proxy
=================

(This project was formerly known as Google Auth Proxy)

A reverse proxy that provides authentication using Google and other OAuth2
providers to validate individual accounts, or a whole google apps domain.
A reverse proxy that provides authentication using Providers (Google, Github, and others)
to validate individual accounts, or a whole email domain.

[![Build Status](https://secure.travis-ci.org/bitly/google_auth_proxy.png?branch=master)](http://travis-ci.org/bitly/google_auth_proxy)
[![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy)


![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)

## Architecture

```
_______ ___________________ __________
|Nginx| ----> |google_auth_proxy| ----> |upstream|
------- ------------------- ----------
||
\/
[google oauth2 api]
_______ ______________ __________
|Nginx| ----> |oauth2_proxy| ----> |upstream|
------- -------------- ----------
||
\/
[provider OAuth2 API]
```


## Installation

1. Download [Prebuilt Binary](https://github.com/bitly/google_auth_proxy/releases) or build from `master` with `$ go get github.com/bitly/google_auth_proxy` which should put the binary in `$GOROOT/bin`
2. Register an OAuth Application with Google
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) or build from `master` with `$ go get github.com/bitly/oauth2_proxy` which should put the binary in `$GOROOT/bin`
2. Register an OAuth Application with a Provider
3. Configure Google Auth Proxy using config file, command line options, or environment variables
4. Deploy behind a SSL endpoint (example provided for Nginx)

## OAuth Configuration

You will need to register an OAuth application with Google (or [another
provider](#providers)), and configure it with Redirect URI(s) for the domain
you intend to run `google_auth_proxy` on.
you intend to run `OAUTH2_PROXY` on.

For Google, the registration steps are:

Expand All @@ -43,7 +44,7 @@ For Google, the registration steps are:
* The Application Type should be **Web application**
* Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com`
* Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback`
* NOTE: `google_auth_proxy` will _only_ callback on the path `/oauth2/callback`
* NOTE: `oauth2_proxy` will _only_ callback on the path `/oauth2/callback`
4. Under "APIs & Auth" choose "Consent Screen"
* Fill in the necessary fields and Save (this is _required_)
5. Take note of the **Client ID** and **Client Secret**
Expand All @@ -59,19 +60,19 @@ For LinkedIn, the registration steps are:

## Configuration

`google_auth_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
`oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).

### Config File

An example [google_auth_proxy.cfg](contrib/google_auth_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/google_auth_proxy.cfg`
An example [OAUTH2_PROXY.cfg](contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg`

### Command Line Options

```
Usage of google_auth_proxy:
Usage of oauth2_proxy:
-authenticated-emails-file="": authenticate against emails via file (one per line)
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the OAuth Client Secret
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the Client Secret
-config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie
Expand Down Expand Up @@ -105,12 +106,12 @@ See below for provider specific options

### Environment variables

The environment variables `GOOGLE_AUTH_PROXY_CLIENT_ID`, `GOOGLE_AUTH_PROXY_CLIENT_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_DOMAIN` and `GOOGLE_AUTH_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.

### Example Nginx Configuration

This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `google_auth_proxy` on port `4180`.
`google_auth_proxy` then authenticates requests for an upstream application running on port `8080`. The external
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `oauth2_proxy` on port `4180`.
`oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external
endpoint for this example would be `https://internal.yourcompany.com/`.

An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
Expand All @@ -136,10 +137,10 @@ server {
}
```

The command line to run `google_auth_proxy` would look like this:
The command line to run `oauth2_proxy` would look like this:

```bash
./google_auth_proxy \
./oauth2_proxy \
--google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
Expand All @@ -151,7 +152,7 @@ The command line to run `google_auth_proxy` would look like this:

## Endpoint Documentation

Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.

* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
* /ping - returns an 200 OK response
Expand All @@ -161,17 +162,18 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi

## Logging Format

Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log.
OAuth2 Proxy Proxy logs requests to stdout in a format similar to Apache Combined Log.

```
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
```

## <a name="providers"></a>Providers other than Google
## <a name="providers"></a>Providers

Other providers besides Google can be specified by the `providers` flag/config
Authentication providers can be specified by the `providers` flag/config
directive. Right now this includes:

* `google` - (default) [Google](https://console.developers.google.com/project)
* `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service
([GitHub](https://github.com/18F/myusa))
* `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service.
Expand Down
6 changes: 3 additions & 3 deletions dist.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ echo "... running tests"

for os in linux darwin; do
echo "... building v$version for $os/$arch"
BUILD=$(mktemp -d -t google_auth_proxy)
TARGET="google_auth_proxy-$version.$os-$arch.$goversion"
GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/google_auth_proxy || exit 1
BUILD=$(mktemp -d -t oauth2_proxy)
TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/oauth2_proxy || exit 1
pushd $BUILD
tar czvf $TARGET.tar.gz $TARGET
mv $TARGET.tar.gz $DIR/dist
Expand Down
6 changes: 3 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (

func main() {
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
flagSet := flag.NewFlagSet("google_auth_proxy", flag.ExitOnError)
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)

googleAppsDomains := StringArray{}
upstreams := StringArray{}
Expand All @@ -38,7 +38,7 @@ func main() {
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team")
flagSet.String("client-id", "", "the Google OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
flagSet.String("client-secret", "", "the OAuth Client Secret")
flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
Expand All @@ -65,7 +65,7 @@ func main() {
flagSet.Parse(os.Args[1:])

if *showVersion {
fmt.Printf("google_auth_proxy v%s (built with %s)\n", VERSION, runtime.Version())
fmt.Printf("oauth2_proxy v%s (built with %s)\n", VERSION, runtime.Version())
return
}

Expand Down
2 changes: 1 addition & 1 deletion oauthproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (
"strings"
"time"

"github.com/bitly/google_auth_proxy/providers"
"github.com/bitly/oauth2_proxy/providers"
)

const robotsPath = "/robots.txt"
Expand Down
2 changes: 1 addition & 1 deletion oauthproxy_test.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package main

import (
"github.com/bitly/google_auth_proxy/providers"
"github.com/bitly/oauth2_proxy/providers"
"github.com/bmizerany/assert"
"io/ioutil"
"log"
Expand Down
14 changes: 7 additions & 7 deletions options.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ import (
"strings"
"time"

"github.com/bitly/google_auth_proxy/providers"
"github.com/bitly/oauth2_proxy/providers"
)

// Configuration Options that can be set by Command Line Flag, or Config File
type Options struct {
HttpAddress string `flag:"http-address" cfg:"http_address"`
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
ClientID string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"`
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"`
ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`

AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
Expand All @@ -25,10 +25,10 @@ type Options struct {
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`

CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
Expand Down
2 changes: 1 addition & 1 deletion providers/internal_util.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package providers

import (
"github.com/bitly/google_auth_proxy/api"
"github.com/bitly/oauth2_proxy/api"
"log"
"net/http"
)
Expand Down
2 changes: 1 addition & 1 deletion providers/linkedin.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
"net/http"
"net/url"

"github.com/bitly/google_auth_proxy/api"
"github.com/bitly/oauth2_proxy/api"
)

type LinkedInProvider struct {
Expand Down
2 changes: 1 addition & 1 deletion providers/myusa.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"net/http"
"net/url"

"github.com/bitly/google_auth_proxy/api"
"github.com/bitly/oauth2_proxy/api"
)

type MyUsaProvider struct {
Expand Down
2 changes: 1 addition & 1 deletion templates.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func getTemplates() *template.Template {
</div>
{{ end }}
<footer>
Secured with <a href="https://github.com/bitly/google_auth_proxy#google_auth_proxy">Google Auth Proxy</a> version {{.Version}}
Secured with <a href="https://github.com/bitly/oauth2_proxy#oauth2_proxy">OAuth2 Proxy</a> version {{.Version}}
</footer>
</body>
</html>
Expand Down