We Keep Coding

Is there a way to configure SSO oauth2 Prometheus via Nginx Ingress and Oauth2-proxy

I want all users who access Prometheus GUI to be able to log in via SSO keycloak which supports the oauth2 protocol, but now the current configuration, before reaching prometheus gui, there is an nginx server and on the upstreams I have several websites like: grafana , prometheus etc. I searched on the google what is the best solution to do that and I found the Oauth2-proxy that can be done this but after the authentication, the oauth2-proxy is redirect me to the auth page and not to prometheus, everything works ok but not the redirect url.
nginx.conf
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
listen 443 ssl default_server;
server_name example.com;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect "https://example.com/prometheus";
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location ^~ /prometheus/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
if ($auth_cookie ~* "(; .*)") {
set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://192.168.1.20:9090/prometheus/"; # This is where my web server is hosted
}
oauth2-proxy.cfg
provider="keycloak"
provider_display_name="SSO connect"
ssl_insecure_skip_verify=true
login_url="https://auth.keycloak/oauth2/authorize"
redeem_url="https://auth.keycloak/oauth2/token"
validate_url="https://auth.keycloak/oauth2/userinfo"
client_id="8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g"
client_secret="sd;kfposdfk546idfj;"
cookie_secure="true"
redirect_url="https://example.com/prometheus/oauth2/callback"
upstreams="http://192.168.1.20:9090/prometheus/" # My website server
email_domains="*"
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address = "127.0.0.1:4180"
https_address = ":443"
reverse_proxy = true
oauth2 bin command :
[root#nginx]# ./oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
[2022/02/03 17:23:54] [proxy.go:89] mapping path "/prometheus/" => upstream "http://192.168.1.20:9090/prometheus/"
[2022/02/03 17:23:54] [oauthproxy.go:148] OAuthProxy configured for Keycloak Client ID: 8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g
[2022/02/03 17:23:54] [oauthproxy.go:154] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled
The oauth2-proxy port 4180 is listening ok :
[root#nginx]# netstat -naptu | grep 4180
tcp 0 0 127.0.0.1:4180 0.0.0.0:* LISTEN 26031/./oauth2-prox
Here is the page of prometheus login point out on oauth2-proxy for authentication
After authentication, is redirect me to the https://auth.keycloak page and not to the upstream https://example.com/prometheus
On the outh2-proxy I have this output whenever I want to access "https://example.com/prometheus"
9 Safari/537.36" 401 13 0.000
[2022/02/03 17:29:59] [validator.go:77] Rejecting invalid redirect "https://example.com": domain / port not in whitelist
[2022/02/03 17:29:59] [director.go:85] Invalid redirect provided in X-Auth-Request-Redirect header: https://example.com
[2022/02/03 17:29:59] [validator.go:77] Rejecting invalid redirect "https://example.com": domain / port not in whitelist
[2022/02/03 17:29:59] [director.go:85] Invalid redirect provided in X-Auth-Request-Redirect header: https://example.com
What I'm missing here .. I don't have any ideas anymore.

I found the solution:
Step1. Download oauth2-proxy binary - my version is oauth2-proxy v7.2.1
Step2. Create oauth2-proxy as services in order to run "start| stop | status".
[root#nginx]# cat oauth2_proxy.service
[Unit]
Description=oauth2_proxy daemon
After=syslog.target network.target
[Service]
ExecStart=/var/opt/oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.target
Running Status oauth2_proxy command
[root#nginx]# systemctl status oauth2_proxy
● oauth2_proxy.service - oauth2_proxy daemon
Loaded: loaded (/etc/systemd/system/multi-user.target.wants/oauth2_proxy.service; bad; vendor preset: disabled)
Active: active (running) since Tue 2022-02-08 11:03:05 CET; 1 day 22h ago
Main PID: 34114 (oauth2-proxy)
CGroup: /system.slice/oauth2_proxy.service
└─34114 /var/opt/oauth2-proxy --config=/etc/nginx/oauth2-proxy.cfg
Feb 08 11:03:05 nginx.local systemd[1]: Started oauth2_proxy daemon.
Feb 08 11:03:05 nginx.local oauth2-proxy[34114]: [2022/02/08 11:03:05] [logging.go:27] Redirecting logging to file: /var/log/oauth2/oauth2_proxy.log
Step3. Create ouath2-proxy.cfg and add the below lines:
provider="oidc"
provider_display_name="SSO Connect"
login_url="https://auth.keycloak/oauth2/authorize"
validate_url="https://auth.keycloak/oauth2/token"
profile_url="https://auth.keycloak/oauth2/userinfo"
client_id="8m67vhg34hgj-232k-786j-90cf-45656gjh5f64g"
client_secret="sd;kfposdfk546idfj"
redirect_url="https://example.com/oauth2/callback"
upstreams=["http://192.168.1.20:9090/prometheus/"] # My website server
###OIDC settings
#reverse_proxy=true
oidc_issuer_url="https://auth.keycloak"
insecure_oidc_allow_unverified_email=true
email_domains=["*"]
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address="127.0.0.1:4180"
whitelist_domains="tool.example.com"
cookie_domains=["tool.example.com"]
cookie_secure="false"
cookie_samesite="lax"
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
cookie_refresh = "1m"
cookie_expire = "30m"
scope="openid email profile"
Step4. Add lines below on nginx.conf in order to make the authentication and redirecting to prometheus upstream
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location ^~ /prometheus/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_pass http://prometheus_backend/prometheus/;
}
I hope you don't have any problems and make it works.

Restrict SOAP calls using Nginx Reverse Proxy

We have a Nginx server configured for reverse proxying to protect an aging SOAP server that can't be patched.
I've been asked to restrict what calls clients can make from specific IP ranges.
I've no idea how to allow some SOAP calls but filter out others.
The Nginux config is
server {
listen 443;
listen [::]:443;
server_name shiny.nginx.server;
ssl on;
ssl_certificate "/public/directory/proxy.pem";
ssl_certificate_key "/secret/directory/proxy.key";
location / {
proxy_pass http://very.old.server:80/;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Any ideas how I achieve this?
Thanks

I'v found a solution to this.
server {
listen 443;
listen [::]:443;
server_name shiny.nginx.server;
ssl on;
ssl_certificate "/public/directory/proxy.pem";
ssl_certificate_key "/secret/directory/proxy.key";
location / {
proxy_pass http://very.old.server:80/;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
if ($remote_addr ~ 192.168.1.1) {
set $is_user Y;
}
if ($http_soapaction ~ SOAP/Request/Goes/Here) {
set $user_allowed Y;
}
set $user_test "${is_user}${user_allowed}";
if ($user_test = YY) {
set $good yes;
}
if ($good != yes) {
return 403;
}
}
Not being able to do nested or complex tests made it a bit tricky...

How to change request_uri in nginx proxy_pass?

I am running a django application through gunicorn via unix socket and I have my nginx configuration which looks like this :
Current NGINX config File :
upstream django_app_server {
server unix:/django/run/gunicorn.sock fail_timeout=0;
}
server{
listen 80;
server_name demo.mysite.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://django_app_server;
break;
}
}
}
so my django is running on a unix socket here , lets say if it was running on localhost then it has a url which looks like :
http://127.0.0.1:8000/demo/app1
http://127.0.0.1:8000/demo/notifications
Main goal
so what i want to do is , when someone visit http://demo.mysite.com/app1 they can access via proxy pass the url : http://127.0.0.1:8000/demo/app1
It would have been really easy if i would be running django on localhost tcp port and i could have easy done this and it would have worked for me :
server{
listen 80;
server_name demo.mysite.com;
location / {
proxy_pass http://127.0.0.1:8000/demo/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
How do i achieve this with my current nginx configurtion ?

One approach is to use rewrite ... break, for example:
location / {
try_files $uri #proxy;
}
location #proxy {
rewrite ^ /demo$uri break;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://django_app_server;
}
See this document for details.

Nginx HTTP to HTTPS redirect loop

I have the folloiwng Nginx configuration:
server {
listen 80;
server_name .example.net .example.com;
return 301 https://example.com$request_uri;
}
server {
listen 80;
server_name beta.example.com;
error_page 403 /403;
error_page 404 /404;
error_page 500 /500;
client_max_body_size 5M;
# Handle all locations
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/cert_chain.crt;
ssl_certificate_key /etc/ssl/csr.pem;
server_name example.com;
error_page 403 /403;
error_page 404 /404;
error_page 500 /500;
client_max_body_size 5M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I'm wanting to redirect HTTP requests to HTTPS however I get a redirect loop. I've read other answers on different questions including this one and this one however none of their solutions solved mine. Any ideas? Thanks.

It seems like your backend (running on 127.0.0.1:8000) issues Location: http://example.com/ header.
Please look into the access logs, nginx's and backend's too.
Or use httpliveheaders or tcpdump to investigate the traffic.

Nginx: dynamic proxy from url to subdomain

I'm trying to write a nginx conf to dynamically redirect a url to a webapp, based on the uri. I use proxypass directive.
For example, I want redirect http://www.example.com/clientname/ to http://clientname.internaldomain.local/webapp
So far, I only succeded replacing new host, but the uri is broken because I can't split it. (Now I can't even replace the host, dunno why ...)
Here is my actual non working conf:
server {
resolver 192.168.137.71;
listen 80;
server_name tomservpa1;
location ~ (^\/(.*)\/) {
set $ccehost $2;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://$ccehost.internaldomain.local:9780/webapp/$new_request_uri;
proxy_redirect off;
proxy_set_header Host $host;
}
}
Did someone already do something like that ?
Thanks.

You can use named captures in the location directive is avoid scope and ambiguity issues. For example:
location ~ ^/(?<ccehost>[^/]+)/(?<new_request_uri>.*)$ {
rewrite ^ /webapp/$new_request_uri break;
...
proxy_pass http://$ccehost.internaldomain.local:9780;
...
}

this is the way to do it: (set in production)
location ~* ^/(?<ccehost>.*)/(.*) {
proxy_intercept_errors on;
proxy_cookie_path ~*^/.* /;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://$ccehost.app.ptf:8080/app/$2;
}