OAuth2-proxy config for "forwarded" domain: How to?

(Asked this question a few days ago as a general “could this work” question. Now I try it with a more precise description)

My first Nginx proxy is “forwarding” several subdomains for the domain wizards-tower.de to wizards-tower.ipv64.de where a seconds nginx handles to ipv64.de subdomains and routes them to my internal server.

(wizards-tower.de accepts only ipv4 connections and forwards them to wizards-tower.ipv64.de which only accepts ipv6 connections because my internet provider don’t offer IPv4)

I’ll Itry to secure some domains via oauth2-proxy with google and have some issues

One of my subdomains:

evcc.wizards-tower.de → evcc.wizards-tower.ipv64.de

Configuration of the wizards-tower.de ngninx:

server {
    listen 443 ssl;
    server_name evcc.wizards-tower.de;

    ssl_certificate /etc/letsencrypt/live/evcc.wizards-tower.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/evcc.wizards-tower.de/privkey.pem;

    location / {
        proxy_pass https://evcc.wizards-tower.ipv64.de;

        proxy_http_version 1.1;
        proxy_set_header Host evcc.wizards-tower.de;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect off;
    }
}

When I open evcc.wizards-tower.de the access log looks like this on the first nginx

94.31.117.239 - - [16/Aug/2025:09:05:10 +0000] "GET / HTTP/1.1" 302 377 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Mobile Safari/537.36" "-"

The log of the second (wizards-tower.ipv64.de) nginx looks like this:

2a01:239:3a2:c400::1 - - [16/Aug/2025:11:08:22 +0200] "GET / HTTP/1.1" 302 377 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Mobile Safari/537.36" "94.31.117.239" "evcc.wizards-tower.de" sn="evcc.wizards-tower.ipv64.de" rt=0.016 ua="127.0.0.1:4186" us="302" ut="0.001" ul="377" cs=-

I tried several configurations to set up oauth2-proxy with Google as Identity Provider.

It handles evcc.wizards-tower.ipv64.de without issues, but evcc.wizards-tower.de makes problems. depending on the configuration I’ll get loops (google asks in a loop which account I want to use) or an error400: redirect_uri_mismatch.

Tried one server block which listens on both domains, tried two server blocks (one for each domain) with two google authentication clients etc.

Question:

Which setup for the evcc.wizards-tower.de url on my second nginx works?

Or: Should I setup an oauth2-proxy on my first nginx to handle the authentication? (tried this and configured the ipv64.de nginx to forward the traffic coming from the .de domain without authentication, but this didn’t work my configs)

Hey @Merlin123!

I am not entirely sure if you were trying to use the OAuth2-proxy in your previous topic, but at any rate, we do not develop that project and there is little help we can offer with getting it up and running. I would suggest opening a new issue or discussion in their repo or digging through their preexisting issues and discussions – a quick search shows some potential solutions. Alternatively, you can always try to implement OAuth2 per our guidelines following our docs

I know that you don’t support oauth2-proxy, but maybe someone in this forum had this issue before and could give a hint.

I opend a question in the oauth2 github, too, but didn’t get an answer until now

I know that you don’t support oauth2-proxy, but maybe someone in this forum had this issue before and could give a hint.

Sounds good! Hopefully someone else can provide some insight and/or suggestions!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.