thor/wg-ui
1
0
Fork 0
mirror of https://github.com/Threnklyn/wg-ui.git synced 2026-06-03 20:28:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2355d332609fe64b4bb256e9c59c6b1bbd012a17
wg-ui/doc/auth-google-sso.md
T
Markus Viitamäki 79d245f9c7 Google SSO documentation (#79) 
Documentation on a solution for Google SSO.
This solution is in production for Embark Studios, and therefor validated working.
2020-07-14 14:48:45 +02:00

132 lines
3.7 KiB
Markdown
Raw Blame History

# Google SSO Implementation
This is a short documentation on how you can setup wg-ui and Google OAuth.
There are a few different projects on GitHub related to SSO and OAuth2, the most popular just now is [oauth2-proxy/oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) but we at Embark Studios opted to use [buzzfeed/sso](https://github.com/buzzfeed/sso). This was done before the growth of oauth2-proxy.
## SSO Proxy & Auth
When setting up [buzzfeed/sso](https://github.com/buzzfeed/sso) we followed the quickstart documentation provided by the project found [here](https://github.com/buzzfeed/sso/blob/master/docs/quickstart.md).
In our setup we use the binaries provided by releases, and not a docker based solution.
## Systemd
Below is two simple services to keep both `sso-auth` and `sso-proxy` running.
As you can notice we use environment files instead of parameters for the binaries.
```
[Unit]
Description=sso-auth
After=network.target
[Service]
Type=simple
Restart=always
EnvironmentFile=/path/to/sso-auth.env
ExecStart=/path/to/sso-auth
[Install]
WantedBy=multi-user.target
```
```
SESSION_COOKIE_SECURE=true
SESSION_COOKIE_HTTPONLY=true
SESSION_COOKIE_DOMAIN=.domain.com
SESSION_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SESSION_COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CLIENT_PROXY_ID=<shared with proxy's environment file>
CLIENT_PROXY_SECRET=<shared with proxy's environment file>
SERVER_SCHEME=https
SERVER_HOST=sso.domain.com
SERVER_PORT=8000
AUTHORIZE_EMAIL_DOMAINS=domain.com
AUTHORIZE_PROXY_DOMAINS=domain.com
PROVIDER_DOMAIN_CLIENT_ID=123456789000-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
PROVIDER_DOMAIN_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX
PROVIDER_DOMAIN_TYPE=google
PROVIDER_DOMAIN_SLUG=google
VIRTUAL_HOST=sso.domain.com
CLUSTER=sso
STATSD_HOST=127.0.0.1
STATSD_PORT=8125
```
```
[Unit]
Description=sso-proxy
After=network.target
[Service]
Type=simple
Restart=always
EnvironmentFile=/path/to/sso-proxy.env
ExecStart=/path/to/sso-proxy
[Install]
WantedBy=multi-user.target
```
```
DEFAULT_ALLOWED_EMAIL_DOMAINS=domain.com
UPSTREAM_CONFIGS=/path/to/upstream_configs.yaml
PROVIDER_URL=https://sso.domain.com
PROVIDER_URL_INTERNAL=http://localhost:8000
CLIENT_ID=<shared with auth's environment file>
CLIENT_SECRET=<shared with auth's environment file>
COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
COOKIE_SECURE=true
VIRTUAL_HOST=*.domain.com
CLUSTER=sso
STATSD_HOST=127.0.0.1
STATSD_PORT=8125
```
You will also need a yaml file which defines backend service (wg-ui) which is defined in sso-proxy.env as `UPSTREAM_CONFIGS`
```
- service: wg-ui
default:
from: vpn.domain.com
to: http://localhost:8080/
```
## nginx
We use nginx for all HTTP(S) to endusers, below you can find an example for configuration.
```
server {
listen 443 http2;
listen [::]:443 http2;
server_name vpn.domain.com;
ssl on;
ssl_certificate /path/to/domain.com.bundle.crt;
ssl_certificate_key /path/to/domain.com.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://localhost:4180;
}
}
server {
listen 443 http2;
listen [::]:443 http2;
server_name sso.domain.com;
ssl on;
ssl_certificate /path/to/domain.com.bundle.crt;
ssl_certificate_key /path/to/domain.com.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://localhost:8000;
}
}
```
Reference in New Issue View Git Blame Copy Permalink