-
Notifications
You must be signed in to change notification settings - Fork 326
/
config.yml_example
325 lines (275 loc) · 13.7 KB
/
config.yml_example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
# Vouch Proxy configuration
# you should probably start with one of the other example configs in this directory
# Vouch Proxy does a fairly good job of setting its config to sane defaults
# be aware of the yaml indentation, the only top level elements are `vouch` and `oauth`.
# Vouch Proxy can also be configured using Environmental Variables. The associated env var for
# each configuration is shown such as VOUCH_LOGLEVEL.
vouch:
# logLevel: debug # VOUCH_LOGLEVEL
logLevel: info
# testing: false - VOUCH_TESTING
# force all 302 redirects to be rendered as a webpage with a link
# if you're having problems, turn on testing
testing: true
listen: 0.0.0.0 # VOUCH_LISTEN
port: 9090 # VOUCH_PORT
# Listen can specify a Unix domain socket instead.
# listen: unix:/path/to/socket # VOUCH_LISTEN
# Optionally set the mode of the Unix domain socket. The default if not specified is 0777.
# socket_mode: 0770 # VOUCH_SOCKETMODE
# Optionally set the group owner of the Unix domain socket.
# socket_group: users # VOUCH_SOCKETGROUP
# The default read, write and idle timeouts are 15 seconds.
# If you have a load balancer or proxy in front that has its
# own idle timeout, you may need to ensure that the Vouch idle
# timeout is longer than the proxy's, to avoid intermittent
# 502 errors.
# See https://github.com/vouch/vouch-proxy/issues/317 for more
# information.
writeTimeout: 15 # VOUCH_WRITETIMEOUT
readTimeout: 15 # VOUCH_READTIMEOUT
idleTimeout: 15 # VOUCH_IDLETIMEOUT
# document_root - VOUCH_DOCUMENT_ROOT
# see README for `Vouch Proxy "in a path"` - https://github.com/vouch/vouch-proxy#vouch-proxy-in-a-path
# document_root: vp_in_a_path
# domains - VOUCH_DOMAINS
# each of these domains must serve the url https://vouch.$domains[0] https://vouch.$domains[1] ...
# so that the cookie which stores the JWT can be set in the relevant domain
# you usually *don't* want to list every individual website that will be protected
# if you have siteA.internal.yourdomain.com and siteB.internal.yourdomain.com
# then your domains should be set as yourdomain.com or perhaps internal.yourdomain.com
# usually you'll just have one.
# Comment `domains:` out if you set allowAllUser:true
domains:
- yourdomain.com
- yourotherdomain.com
# Set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider - VOUCH_ALLOWALLUSERS
# allowAllUsers: false
# vouch.cookie.domain must be set below when enabling allowAllUsers
# Setting publicAccess: true will accept all requests, even without a valid jwt/cookie. - VOUCH_PUBLICACCESS
# If the user is logged in, the cookie will be validated and the user header will be set.
# You will need to direct people to the Vouch Proxy login page from your application.
# publicAccess: false
# whiteList (optional) allows only the listed usernames - VOUCH_WHITELIST
# usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise
whiteList:
# teamWhitelist - VOUCH_TEAMWHITELIST
# only used for github orgs/teams
# teamWhitelist:
# - vouch
# - myOrg
# - myOrg/myTeam
tls:
# cert: /path/to/signed_cert_plus_intermediates # VOUCH_TLS_CERT
# key: /path/to/private_key # VOUCH_TLS_KEY
# profile - defines the TLS configuration profile (modern, intermediate, old, default)
profile: intermediate # VOUCH_TLS_PROFILE
jwt:
# signing_method: the algorithm used to sign the JWT. # VOUCH_JWT_SIGNING_METHOD
# Can be one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512
# Default is HS256 (HMAC) - and requires jwt.secret to be set
# Both RS* (RSA) and ES* (ECDSA) methods require jwt.private_key_file and
# jwt.public_key_file to be set.
# signing_method: HS256
# secret - VOUCH_JWT_SECRET
# a random string used to cryptographically sign the jwt when signing_method is set to HS256, HS384 or HS512
# Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
# if the secret is not set here then Vouch Proxy will..
# - look for the secret in `./config/secret`
# - if `./config/secret` doesn't exist then randomly generate a secret and store it there
# in order to run multiple instances of vouch on multiple servers (perhaps purely for validating the jwt),
# you'll want them all to have the same secret
secret: your_random_string
# Path to the public/private key files when using an RSA or ECDSA signing method.
# public_key_file: # VOUCH_JWT_PUBLIC_KEY_FILE
# private_key_file: # VOUCH_JWT_PRIVATE_KEY_FILE
# issuer: Vouch # VOUCH_JWT_ISSUER
# number of minutes until jwt expires - VOUCH_JWT_MAXAGE
maxAge: 240
# compress the jwt - VOUCH_JWT_COMPRESS
compress: true
cookie:
# name of cookie to store the jwt - VOUCH_COOKIE_NAME
name: VouchCookie
# optionally force the domain of the cookie to set
# domain: yourdomain.com # VOUCH_COOKIE_DOMAIN
# Set `secure: false` when protecting a non-https site such as http://app.yourdmain.com - VOUCH_COOKIE_SECURE
secure: true
# httpOnly: true # VOUCH_COOKIE_HTTPONLY
# Number of minutes until session cookie expires - VOUCH_COOKIE_MAXAGE
# Set cookie maxAge to 0 to delete the cookie every time the browser is closed.
# Must not be longer than jwt.maxAge
maxAge: 240
# Set SameSite attribute to restrict browser behaviour wrt sending the cookie along with cross-site requests. - VOUCH_COOKIE_SAMESITE
# Possible attribute values lax, strict, none.
# If attribute not specified then cross-site behaviour will depend on the browser used. If sameSite=none then secure must be set to true
# More context: https://github.com/vouch/vouch-proxy/issues/210
sameSite: lax
session:
# name of session variable stored locally - VOUCH_SESSION_NAME
name: VouchSession
# number of minutes for maximum session age, configuring how long the user has to login at their IdP (defaults to 5) - VOUCH_SESSION_MAXAGE
maxAge: 5
# key - a cryptographic string used to store the session variable - VOUCH_SESSION_KEY
# if the key is not set here then it is generated at startup and stored in memory
# Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
# you only want to set this if you're running multiple user facing vouch.yourdomain.com instances
# where each instance may rely on a session cookie for state or the original requested URL
# key: your_random_key
headers:
jwt: X-Vouch-Token # VOUCH_HEADERS_JWT
querystring: access_token # VOUCH_HEADERS_QUERYSTRING
redirect: X-Vouch-Requested-URI # VOUCH_HEADERS_REDIRECT
# GENERAL WARNING ABOUT claims AND tokens
# all of these config elements can cause performance impacts due to the amount of information being
# moved around. They will get added to the Vouch cookie and (possibly) make it large. The Vouch cookie will
# get split up into several cookies. But if you need it, you need it.
# With large cookies and headers it will require additional nginx config to open up the buffers a bit..
# see `large_client_header_buffers` http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
# and `proxy_buffer_size` http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
# claims - a list of claims that will be stored in the JWT and passed down to applications via headers - VOUCH_HEADERS_CLAIMS
# By default claims are sent down as headers with a prefix of X-Vouch-IdP-Claims-ClaimKey
# Only when a claim is found in the user's info will the header exist. This is optional. These are case sensitive.
claims:
- groups
- given_name
# these will result in two headers being passed back to nginx as the headers
# X-Vouch-IdP-Claims-Groups: groupa, groupb, groupc
# X-Vouch-IdP-Claims-Given-Name: Robert
# nginx will populate the variables
# $auth_resp_x_vouch_idp_claims_groups
# $auth_resp_x_vouch_idp_claims_given-name
# see https://github.com/vouch/vouch-proxy/issues/183 regarding claims and header naming
# claimheader - Customizable claim header prefix (instead of default `X-Vouch-IdP-Claims-`) - VOUCH_HEADERS_CLAIMHEADER
# claimheader: My-Custom-Claim-Prefix
# accesstoken - Pass the user's access token from the provider. This is useful if you need to pass the IdP token to a downstream - VOUCH_HEADERS_ACCESSTOKEN
# application. This is optional.
# accesstoken: X-Vouch-IdP-AccessToken
# idtoken - Pass the user's Id token from the provider. This is useful if you need to pass this token to a downstream - VOUCH_HEADERS_IDTOKEN
# application. This is optional.
# idtoken: X-Vouch-IdP-IdToken
# test_url - add this URL to the page which vouch displays during testing (a convenience for testing) - VOUCH_TESTURL
test_url: http://yourdomain.com
# post_logout_redirect_uris - VOUCH_POST_LOGOUT_REDIRECT_URIS
# in order to prevent redirection attacks all redirected URLs to /logout must be specified
# the URL must still be passed to Vouch Proxy as https://vouch.yourdomain.com/logout?url=${ONE OF THE URLS BELOW}
# in line with the OIDC spec https://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout
post_logout_redirect_uris:
# your apps login page
- http://myapp.yourdomain.com/login
# your IdPs logout enpoint
# from https://accounts.google.com/.well-known/openid-configuration
- https://oauth2.googleapis.com/revoke
# you may be daisy chaining to your IdP
- https://myorg.okta.com/oauth2/123serverid/v1/logout?post_logout_redirect_uri=http://myapp.yourdomain.com/login
#
# OAuth
#
# environmental variables for OAuth config:
# provider: OAUTH_PROVIDER
# client_id: OAUTH_CLIENT_ID
# client_secret: OAUTH_CLIENT_SECRET
# auth_url: OAUTH_AUTH_URL
# token_url: OAUTH_TOKEN_URL
# end_session_endpoint: OAUTH_END_SESSION_ENDPOINT
# callback_url: OAUTH_CALLBACK_URL
# user_info_url: OAUTH_USER_INFO_URL
# user_team_url: OAUTH_USER_TEAM_URL
# user_org_url: OAUTH_USER_ORG_URL
# preferreddomain: OAUTH_PREFERREDDOMAIN
# callback_urls: OAUTH_CALLBACK_URLS
# scopes: OAUTH_SCOPES
# claims: OAUTH_CLAIMS
# code_challenge_method: OAUTH_CODE_CHALLENGE_METHOD
# relying_party_id OAUTH_RELYING_PARTY_ID
#
# configure ONLY ONE of the following oauth providers
#
oauth:
# Google
provider: google
# create new credentials at:
# https://console.developers.google.com/apis/credentials
client_id:
client_secret:
callback_urls:
- http://vouch.yourdomain.com:9090/auth
- http://vouch.yourotherdomain.com:9090/auth
preferredDomain: yourdomain.com
# optionally set scopes, defaults to 'email'
# https://developers.google.com/identity/protocols/googlescopes#google_sign-in
# scopes:
# - email
# GitHub
# https://developer.github.com/apps/building-integrations/setting-up-and-registering-oauth-apps/about-authorization-options-for-oauth-apps/
provider: github
client_id:
client_secret:
# callback_url is configured at github.com when setting up the app
# Set to e.g. https://vouch.yourdomain.com/auth
# defaults (uncomment and change these if you are using github enterprise on-prem)
# auth_url: https://github.com/login/oauth/authorize
# token_url: https://github.com/login/oauth/access_token
# user_info_url: https://api.github.com/user?access_token=
# scopes:
# - user
# Generic OpenID Connect
provider: oidc
client_id:
client_secret:
auth_url: https://{yourOktaDomain}/oauth2/default/v1/authorize
token_url: https://{yourOktaDomain}/oauth2/default/v1/token
user_info_url: https://{yourOktaDomain}/oauth2/default/v1/userinfo
# end_session_endpoint is usually the IdP's logout URL
# see https://github.com/vouch/vouch-proxy/pull/258
end_session_endpoint: https://{yourOktaDomain}/oauth2/default/v1/logout
scopes:
- openid
- email
- profile
callback_url: http://vouch.yourdomain.com:9090/auth
# optionally set the "claims" request parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter)
# required by Twitch, resolves issue https://github.com/vouch/vouch-proxy/issues/414
# claims:
# userinfo:
# given_name:
# essential: true
# nickname: null
# email:
# essential: true
# email_verified:
# essential: true
# picture: null
# "http://example.info/claims/groups": null
# id_token:
# auth_time:
# essential: true
# acr:
# values:
# - "urn:mace:incommon:iap:silver"
# PKCE method if enabled, S256 is currently supported (check https://www.oauth.com/oauth2-servers/pkce/)
# resolves issue https://github.com/vouch/vouch-proxy/issues/303
code_challenge_method: S256
# IndieAuth
# https://indielogin.com/api
provider: indieauth
client_id: http://yourdomain.com
auth_url: https://indielogin.com/auth
callback_url: http://vouch.yourdomain.com:9090/auth
# adfs
provider: adfs
client_id:
client_secret:
auth_url: https://adfs.yourdomain.com/adfs/oauth2/authorize/
token_url: https://adfs.yourdomain.com/adfs/oauth2/token/
# vouch-proxy use RedirectURL as relying party identifier by default, if you want a custom one:
# see https://github.com/vouch/vouch-proxy/issues/189
# relying_party_id: 487d8ff7-80a8-4f62-b926-c2852ab06e94
scopes:
- openid
- email
- profile
callback_url: https://vouch.yourdomain.com/auth