"Cascaded" NGINX server and OAuth2 proxy: How to?

Situation:

My server in my home network are only accessible via IPv6 (provider only offers this option)

I’ve set up a dynDNS service (IPv64) to access my server via

servername.domain.ipv64.de

To limit the access I would like to set up the oauth2-proxy with Google

First tests worked well and I need to authenticate via Google

To access my server via IPv4 I’ve set up a vServer at a hoster with another domain and IPv4 acess:

servername.domain.de

on both server nginx as a reverse proxy is running.

on the vServer it forwards servername.domain.de to servername.domain.ipv64.de

on my home server nginx forwards servername.domain.ipv64.de to the internal server like 192.168.0.34

without oauth it works well.

Now I tried different options to set up the oauth2 authentication, but I always end in a Google authentication loop.

In Google I’ve set up two clients with different callback URLs

server.domain.de/oauth2/callback

server.domain.ipv64de/oauth2/callback

I configured nginx on domain.de to use the domain.de/oauth/callback client and nginx on domain.ipv64.de to use the domain.ipv64.de/oauth/callback

Question:

Is it in general possible to configure such a situation? If yes: How?

Hey @Merlin123! Your use case should be totally doable. I would recommend checking this blog post from a couple years ago Validating OAuth 2.0 Access Tokens with NGINX and NGINX Plus .

Thanks for the link, will check it and see if it helps

hmmm.. played around but it’s still not working.

on the ipv64.de domain it’s working, but with the forward from the second nginx with the de domain no chance. Tried to set it up that the first nginx handles both domains (two entries in the config) and tried that the second nginx handles the authentication, but I’m getting loop or it’s not working.
the setup woth both nginx looks like this:

the ipv64.de ngninx only calls the oauth-proxy when accessed via server.ipv64.de, server.de is handled without oauth
the .de nginx should handle the authentication and that hands over to the ipv64.de ngninx.
but the authentication on the .de nginx is not working. The callback url is set to the .de nginx.

unfortunately some of my internal apps don’t have a login screen, so I need to protect them somewhere else. Any idea is welcome

I would assume there might be something wrong with how NGINX is talking to the OAuth server. Sadly, I have never had to set up OAuth on my end so I don’t really have the skill set to help out too much beyond knowing that it is possible to accomplish.

In so far as other auth methods when you don’t have a login screen, NGINX Open Source only supports a limited range of authentication methods. You could maybe try using basic auth? If you want to use more advanced authentication methods you would have to upgrade to NGINX Plus (P.S.: If you have other auth questions, please open a new topic!)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.