-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.proxy.yml
More file actions
80 lines (72 loc) · 3.03 KB
/
Copy pathdocker-compose.proxy.yml
File metadata and controls
80 lines (72 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# closegate — reverse-proxy auth overlay.
#
# Adds oauth2-proxy in front of the web + agent services so the
# `HeaderTrustBackend` can read an authenticated-user header rather
# than relying on closegate's native OIDC. Useful when:
#
# - Your IdP only speaks SAML 2.0
# - You want device-posture / IP / country policies on top of SSO
# - You already operate oauth2-proxy / Pomerium / Caddy with an
# OIDC plugin for other internal apps
#
# Usage:
# docker compose -f docker-compose.yml -f docker-compose.proxy.yml up
#
# See documentation/integrations/sso-saml-via-oauth2-proxy.md for the
# full SAML-via-Keycloak wiring. This overlay is the docker piece —
# the IdP + Keycloak config lives in their own configs / dashboards.
name: closegate
services:
# Override the agent + web port mappings so they're only reachable
# via oauth2-proxy. Keep the engine bound to localhost (debug only).
agent:
ports: !reset [] # drop the 8000:8000 mapping from the base file
expose:
- "8000"
web:
ports: !reset [] # drop the 5173:5173 mapping
expose:
- "5173"
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:latest
container_name: closegate-oauth2-proxy
restart: unless-stopped
depends_on:
web:
condition: service_healthy
agent:
condition: service_healthy
ports:
- "4180:4180"
environment:
# Generic OIDC. For SAML, terminate SAML at Keycloak / dex /
# Pomerium first and point oauth2-proxy at the translator's OIDC.
OAUTH2_PROXY_PROVIDER: oidc
OAUTH2_PROXY_OIDC_ISSUER_URL: ${OAUTH2_PROXY_OIDC_ISSUER_URL}
OAUTH2_PROXY_CLIENT_ID: ${OAUTH2_PROXY_CLIENT_ID}
OAUTH2_PROXY_CLIENT_SECRET: ${OAUTH2_PROXY_CLIENT_SECRET}
OAUTH2_PROXY_REDIRECT_URL: ${OAUTH2_PROXY_REDIRECT_URL}
# 32-byte base64 cookie secret. Generate:
# openssl rand -base64 32 | tr -d '\n'
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET}
# Bind to all interfaces inside the container; expose 4180 outward.
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
# Route /api/* to the agent; everything else to the web container.
# oauth2-proxy uses the URL fragment under :4180 to pick the upstream.
# See "upstream routing" docs for the multi-upstream pattern.
OAUTH2_PROXY_UPSTREAMS: "http://web:5173/, http://agent:8000/api/"
# Inject the authenticated user's email as a header for closegate.
OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
OAUTH2_PROXY_PASS_USER_HEADERS: "true"
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "false"
# Restrict logins to your Workspace / tenant domain.
OAUTH2_PROXY_EMAIL_DOMAINS: "${OAUTH2_PROXY_EMAIL_DOMAINS:-*}"
# Allow only authenticated requests through; refuse unauth requests.
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
OAUTH2_PROXY_REVERSE_PROXY: "true"
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:4180/ping"]
interval: 10s
timeout: 3s
start_period: 15s
retries: 5