thor/wg-ui
1
0
Fork 0
mirror of https://github.com/Threnklyn/wg-ui.git synced 2026-05-19 13:23:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d995af98d2b4e10eee78bf72802eb0fa27a32756
wg-ui/doc/auth-google-sso.md
T
Markus Viitamäki 79d245f9c7 Google SSO documentation (#79) 
Documentation on a solution for Google SSO.
This solution is in production for Embark Studios, and therefor validated working.
2020-07-14 14:48:45 +02:00

3.7 KiB
Raw Blame History

Google SSO Implementation

This is a short documentation on how you can setup wg-ui and Google OAuth.

There are a few different projects on GitHub related to SSO and OAuth2, the most popular just now is oauth2-proxy/oauth2-proxy but we at Embark Studios opted to use buzzfeed/sso. This was done before the growth of oauth2-proxy.

SSO Proxy & Auth

When setting up buzzfeed/sso we followed the quickstart documentation provided by the project found here.
In our setup we use the binaries provided by releases, and not a docker based solution.

Systemd

Below is two simple services to keep both sso-auth and sso-proxy running. As you can notice we use environment files instead of parameters for the binaries.

[Unit]
Description=sso-auth
After=network.target

[Service]
Type=simple
Restart=always
EnvironmentFile=/path/to/sso-auth.env
ExecStart=/path/to/sso-auth

[Install]
WantedBy=multi-user.target

SESSION_COOKIE_SECURE=true
SESSION_COOKIE_HTTPONLY=true
SESSION_COOKIE_DOMAIN=.domain.com
SESSION_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SESSION_COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CLIENT_PROXY_ID=<shared with proxy's environment file>
CLIENT_PROXY_SECRET=<shared with proxy's environment file>
SERVER_SCHEME=https
SERVER_HOST=sso.domain.com
SERVER_PORT=8000
AUTHORIZE_EMAIL_DOMAINS=domain.com
AUTHORIZE_PROXY_DOMAINS=domain.com
PROVIDER_DOMAIN_CLIENT_ID=123456789000-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
PROVIDER_DOMAIN_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX
PROVIDER_DOMAIN_TYPE=google
PROVIDER_DOMAIN_SLUG=google
VIRTUAL_HOST=sso.domain.com
CLUSTER=sso
STATSD_HOST=127.0.0.1
STATSD_PORT=8125

[Unit]
Description=sso-proxy
After=network.target

[Service]
Type=simple
Restart=always
EnvironmentFile=/path/to/sso-proxy.env
ExecStart=/path/to/sso-proxy

[Install]
WantedBy=multi-user.target

DEFAULT_ALLOWED_EMAIL_DOMAINS=domain.com
UPSTREAM_CONFIGS=/path/to/upstream_configs.yaml
PROVIDER_URL=https://sso.domain.com
PROVIDER_URL_INTERNAL=http://localhost:8000
CLIENT_ID=<shared with auth's environment file>
CLIENT_SECRET=<shared with auth's environment file>
COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
COOKIE_SECURE=true
VIRTUAL_HOST=*.domain.com
CLUSTER=sso
STATSD_HOST=127.0.0.1
STATSD_PORT=8125

You will also need a yaml file which defines backend service (wg-ui) which is defined in sso-proxy.env as UPSTREAM_CONFIGS

- service: wg-ui
  default:
    from: vpn.domain.com
    to: http://localhost:8080/

nginx

We use nginx for all HTTP(S) to endusers, below you can find an example for configuration.

server {
        listen 443 http2;
        listen [::]:443 http2;

        server_name vpn.domain.com;

        ssl on;
        ssl_certificate /path/to/domain.com.bundle.crt;
        ssl_certificate_key /path/to/domain.com.key;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass http://localhost:4180;
        }
}
server {
        listen 443 http2;
        listen [::]:443 http2;

        server_name sso.domain.com;

        ssl on;
        ssl_certificate /path/to/domain.com.bundle.crt;
        ssl_certificate_key /path/to/domain.com.key;

                location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto https;
                proxy_pass http://localhost:8000;
        }
}
Reference in New Issue View Git Blame Copy Permalink