Add Google Authentication to any Website using Nginx and Oauth Proxy
Oauth Proxy is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
Requirements
- You need a website running on Nginx.
- You need an authentication source that supports Oauth (GSuite, Github, ...)
- You need SSH access to your server.
- You need basic knowledge of Linux and Web Servers.
Instructions
SSH into the server hosting the web application.
Download the latest version of OAUTH Proxy
wget https://github.com/pusher/oauth2_proxy/releases/download/v5.0.0/oauth2_p roxy-v5.0.0.linux-amd64.go1.13.6.tar.gz
Create a directory /opt/oauth2_proxy
sudo mkdir /opt/oauth2_proxy
Move oauth2_proxy to the directory created above
sudo mv oauth2_proxy /opt/oauth2_proxy
Create a new configuration file (oauth2_proxy.cfg)
cd /opt/oauth2_proxy
sudo touch oauth2_proxy.cfg
sudo nano oauth2_proxy.cfg
Copy the following configuration to the file you just created (swap the masked values with your own)
upstreams = [
"http://127.0.0.1:8080/" ]
# Email Domains to allow authentication for (this authorizes any email on this domain). To authorize any email addresses use "*"
email_domains = [ "example.com" ]
# The OAuth Client ID, Secret
client_id = "*************************************"
client_secret = "***********************************"
#Cookie Settings
cookie_secret = "***********************************"
# cookie_domain = ""
# cookie_expire = "168h"
# cookie_refresh = ""
# cookie_secure = true
# cookie_httponly = true
Adjust the configuration parameters for your particular server and web application.
Create a new systemd service for oauth_proxy
sudo touch /etc/systemd/system/oauth_proxy.service
sudo nano /etc/systemd/system/oauth_proxy.service
Copy the following systemd service configuration to the service configuration file you just created
# Systemd service file for oauth2_proxy daemon
[Unit]
Description=oauth2_proxy daemon service
After=syslog.target network.target
[Service]
# www-data group and user need to be created before using these lines User=www-data
Group=www-data
ExecStart=/opt/oauth2_proxy/oauth2_proxy -config=/opt/oauth2_proxy/oauth2_proxy.cfg
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.target
Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable oauth_proxy.service
sudo systemctl start oauth_proxy.service
Make a backup of the current Nginx configuration file at /etc/nginx/site-available/*
cd /etc/nginx/site-available/
sudo cp <configfilename> <configfilename>.backup
Override the Nginx configuration with the following configuration
pwd # confirm you are working inside sites-available
sudo rm <configfilename>
sudo nano <configfilename>
server {
listen 80;
listen [::]:80;
server_name <(sub)domain>;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend
# requires running with --set-xauthrequest flag auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server;
proxy_connect_timeout 3s;
proxy_read_timeout 10s;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie;
proxy_pass http://127.0.0.1:8080;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/<(sub)domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<(sub)domain>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Important Notes
- Adjust the Nginx configuration parameters to suit your server and web application.
- Ensure the domain you are using is part of the callback domains list in your GSuite OAUTH application
Reload Nginx.
sudo systemctl reload nginx.service
Browser to your website address
Use your browser of choice to navigate to the website URL, you should be greeted by the following screen: