eorea · eorea · Sep 12, 2025 · Sep 12, 2025
diff --git a/docker-compose.oauth2.yml b/docker-compose.oauth2.yml
@@ -0,0 +1,67 @@
+services:
+  ingress_public:
+    volumes:
+      - ${PROJECT_PATH}/nginx_proxy_volumes/conf/oauth2_proxy.conf:/etc/nginx/oauth2_proxy.conf:ro
+      - ${PROJECT_PATH}/nginx_proxy_volumes/vhost.d/public-oauth:/etc/nginx/vhost.d:ro
+
+  docker_gen_public:
+    volumes:
+      - ${PROJECT_PATH}/nginx_proxy_volumes/vhost.d/public-oauth:/etc/nginx/vhost.d:ro
+
+  your_1st_app:
+    depends_on:
+      - oauth2_proxy
+
+  your_2nd_app:
+    depends_on:
+      - oauth2_proxy
+
+  your_3rd_app:
+    depends_on:
+      - oauth2_proxy
+
+  idp_mock:
+    container_name: idp_mock
+    image: dexidp/dex:${IDP_MOCK_IMAGE_TAG:-latest}
+    command: ["dex", "serve", "/etc/dex/config.yaml"]
+    restart: 'always'
+    networks:
+      - private
+    ports:
+      - "5556:5556"
+    volumes:
+      - ${PROJECT_PATH}/nginx_proxy_volumes/dexidp/config.yaml:/etc/dex/config.yaml
+
+  oauth2_proxy:
+    hostname: oauth2-proxy
+    container_name: oauth2_proxy
+    image: voucher/vouch-proxy:${OAUTH2_PROXY_IMAGE_TAG:-alpine}
+    restart: 'unless-stopped'
+    depends_on:
+      - acme_companion
+      - idp_mock
+    networks:
+      - private
+    ports:
+      - target: ${OAUTH2_PROXY_PORT}
+        protocol: tcp
+    volumes:
+      - type: bind
+        source: ${PROJECT_PATH}/nginx_proxy_volumes/vouch
+        target: /config
+    labels:
+      - ${NGINX_PROXY_PUBLIC_INSTANCE_LABEL}=true
+    environment:
+      - VIRTUAL_HOST=${OAUTH2_PROXY_HOSTNAME}.${DOMAIN}
+      - VIRTUAL_PORT=${OAUTH2_PROXY_PORT}
+      - LETSENCRYPT_HOST=${OAUTH2_PROXY_HOSTNAME}.${DOMAIN}
+      - LETSENCRYPT_EMAIL=${ACME_EMAIL}
+      # - VOUCH_DOMAINS='your-1st-app.example.com,oauth2-proxy'
+      # - VOUCH_WHITELIST='user1,user2'
+      # - OAUTH_PROVIDER=oidc
+      # - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
+      # - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
+      # - OAUTH_SCOPES=${OAUTH_SCOPES}
+      # - OAUTH_AUTH_URL=https://idp.com/api/oauth2/authorize
+      # - OAUTH_TOKEN_URL=https://idp.com/api/oauth2/token
+      # - OAUTH_CALLBACK_URL=https://${OAUTH2_PROXY_HOSTNAME}.${DOMAIN}/auth
diff --git a/dotenv.sample b/dotenv.sample
@@ -1,4 +1,5 @@
 PROJECT_PATH=/your/project/path
+DOMAIN=example.com
 # Nginx Proxy
 [email protected]
 NGINX_PROXY_PUBLIC_INSTANCE_LABEL=com.github.nginx-proxy.instance.public
@@ -10,8 +11,16 @@ PUBLIC_PORT_HTTPS=9443
 PRIVATE_NGINX_CONTAINER_LABEL=com.github.nginx-proxy.nginx-proxy.public
 PRIVATE_PORT_HTTP=80
 PRIVATE_PORT_HTTPS=443
+# Oauth2 Proxy
+OAUTH2_PROXY_HOSTNAME=login
+OAUTH2_PROXY_PORT=9090
+OAUTH_CLIENT_ID=<CLIENT_ID>
+OAUTH_CLIENT_SECRET=<CLIENT_SECRET>
+OAUTH_SCOPES="identity,email"
 # Images tags
 NGINX_IMAGE_TAG=1.29
 DOCKER_GEN_IMAGE_TAG=0.15
 ACME_COMPANION_IMAGE_TAG=2.6
 SIGNAL_PROPAGATOR_IMAGE_TAG=1.0
+OAUTH2_PROXY_IMAGE_TAG=alpine-0.27.1
+IDP_MOCK_IMAGE_TAG=v2.44.0
diff --git a/nginx_proxy_volumes/conf/oauth2_proxy.conf b/nginx_proxy_volumes/conf/oauth2_proxy.conf
@@ -0,0 +1,47 @@
+# Any request to this server will first be sent to this URL
+auth_request /validate;
+
+auth_request_set $auth_user $upstream_http_x_vouch_user;
+
+location = /validate {
+	# forward the /validate request to Vouch Proxy
+    proxy_pass http://oauth2_proxy:9090/validate;
+
+	# be sure to pass the original host header
+    proxy_set_header Host $http_host;
+
+	# Vouch Proxy only acts on the request headers
+	proxy_pass_request_body off;
+	proxy_set_header Content-Length "";
+
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+	# optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+	auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+	auth_request_set $auth_resp_x_vouch_idp_claims_email $upstream_http_x_vouch_idp_claims_email;
+	auth_request_set $auth_resp_x_vouch_idp_claims_discriminator $upstream_http_x_vouch_idp_claims_discriminator;
+	auth_request_set $auth_resp_x_vouch_idp_claims_id $upstream_http_x_vouch_idp_claims_id;
+	auth_request_set $auth_resp_x_vouch_idp_claims_guilds $upstream_http_x_vouch_idp_claims_guilds;
+	auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;
+
+	# these return values are used by the @error401 call
+    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+# if validate returns `401 not authorized` then forward the request to the error401block
+error_page 401 = @error401;
+
+# If the user is not logged in, redirect them to Vouch's login URL
+location @error401 {
+    return 302 https://login.example.net/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+}
+
+proxy_set_header Remote-User $auth_user;
+
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "upgrade";
diff --git a/nginx_proxy_volumes/dexidp/config.yaml b/nginx_proxy_volumes/dexidp/config.yaml
@@ -0,0 +1 @@
+# config.yaml
diff --git a/nginx_proxy_volumes/vhost.d/public-oauth/default b/nginx_proxy_volumes/vhost.d/public-oauth/default
@@ -0,0 +1 @@
+# This file will be included in all vhost section
diff --git a/nginx_proxy_volumes/vhost.d/public-oauth/your-1st-app.example.com b/nginx_proxy_volumes/vhost.d/public-oauth/your-1st-app.example.com
@@ -0,0 +1,2 @@
+# Include OAuth2 Proxy config file
+include /etc/nginx/oauth2_proxy.conf;
diff --git a/nginx_proxy_volumes/vhost.d/public-oauth/your-1st-app.example.com_location_override b/nginx_proxy_volumes/vhost.d/public-oauth/your-1st-app.example.com_location_override
@@ -0,0 +1,5 @@
+# This file will be included into your-app.example.com vhost section, no '/' location block will be autogenerated
+
+location / {
+    return 403;
+}
diff --git a/nginx_proxy_volumes/vhost.d/public-oauth/your-2nd-app.example.com_location b/nginx_proxy_volumes/vhost.d/public-oauth/your-2nd-app.example.com_location
@@ -0,0 +1,11 @@
+# This file will be included in the body of the '/' location of your-2nd-app.example.com vhost
+
+# rdns_allow host.docker.internal;
+# rdns_allow gateway.docker.internal;
+
+# Only allow traffic from internal clients
+allow 127.0.0.0/8;
+allow 10.0.0.0/8;
+allow 192.168.0.0/16;
+allow 172.16.0.0/12;
+deny all;
diff --git a/nginx_proxy_volumes/vouch/config.yml b/nginx_proxy_volumes/vouch/config.yml
@@ -0,0 +1,37 @@
+vouch:
+  allowAllUsers: false
+  domains:
+    - your-1st-app.example.com
+    - oauth2-proxy
+  loglevel: debug
+  #  testing: true
+
+  jwt:
+    secret: <JWT_SECRET>
+
+  headers:
+    claims:
+      - id
+      - email
+    idtoken: X-Vouch-IdP-IdToken
+
+  cookie:
+    domain: example.com
+
+  whitelist:
+    - user1
+    - user2
+
+oauth:
+  provider: oidc
+  client_id: <CLIENT_ID>
+  client_secret: <CLIENT_SECRET>
+  auth_url: https://ipd.com/api/oauth2/authorize
+  token_url: https://idp.com/api/oauth2/token
+
+  scopes:
+    - identify
+    - email
+
+  # Set the callback URL to the domain that Vouch is running on
+  callback_url: https://login.example.com/auth
diff --git a/nginx_proxy_volumes/vouch/secret b/nginx_proxy_volumes/vouch/secret
@@ -0,0 +1 @@
+<SECRET>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# This file will be included in all vhost section
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Include OAuth2 Proxy config file
		include /etc/nginx/oauth2_proxy.conf;