-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
81 lines (78 loc) · 5.02 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
version: "3"
networks:
proxy:
external: true
stack:
services:
web:
image: tutum/hello-world
networks:
- stack
oauth2proxy:
image: jkernech/oauth2-proxy
command:
#- -approval-prompt string: OAuth approval_prompt (default "force")
#- -authenticated-emails-file string: authenticate against emails via file (one per line)
#- -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common")
#- -basic-auth-password string: the password to set when passing the HTTP Basic Auth header
#- -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
#- -client-secret string: the OAuth Client Secret
#- -config string: path to config file
#- -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)*
#- -cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
#- -cookie-httponly: set HttpOnly cookie flag (default true)
#- -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
#- -cookie-refresh duration: refresh the cookie after this duration; 0 to disable
#- -cookie-secret string: the seed string for secure cookies (optionally base64 encoded)
#- -cookie-secure: set secure (HTTPS) cookie flag (default true)
#- -custom-templates-dir string: path to custom html templates
#- -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
#- -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
#- -footer string: custom footer string. Use "-" to disable default footer.
#- -github-org string: restrict logins to members of this organisation
#- -github-team string: restrict logins to members of this team
#- -google-admin-email string: the google admin to impersonate for api calls
#- -google-group value: restrict logins to members of this google group (may be given multiple times).
#- -google-service-account-json string: the path to the service account json credentials
#- -htpasswd-file string: additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
#- -http-address string: [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
#- -https-address string: <addr>:<port> to listen on for HTTPS clients (default ":443")
#- -login-url string: Authentication endpoint
#- -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
#- -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
#- -pass-host-header: pass the request Host Header to upstream (default true)
#- -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
#- -profile-url string: Profile access endpoint
#- -provider string: OAuth provider (default "google")
#- -proxy-prefix string: the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth2")
#- -redeem-url string: Token redemption endpoint
#- -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
#- -request-logging: Log requests to stdout (default true)
#- -resource string: The resource that is protected (Azure AD only)
#- -scope string: OAuth scope specification
#- -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
#- -signature-key string: GAP-Signature request signature key (algorithm:secretkey)
#- -skip-auth-preflight: will skip authentication for OPTIONS requests
#- -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
#- -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
#- -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
#- -tls-cert string: path to certificate file
#- -tls-key string: path to private key file
#- -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
#- -validate-url string: Access token validation endpoint
#- -version: print version string
- -upstream=http://web:80
- -http-address=0.0.0.0:4080
- -client-id=XXXXXXXXXX
- -client-secret=XXXXXXXXXX
- -cookie-secret=XXXXXXXXXX
- -email-domain=*
- -redirect-url=http://internal.${DOMAIN:-domain.local}/oauth2/callback
environment:
# HAProxy configuration
- VIRTUAL_HOST=http://internal.${DOMAIN:-domain.local},https://internal.${domain:-domain.local}
- SERVICE_PORTS=4080
- EXCLUDE_BASIC_AUTH=true
networks:
- proxy
- stack