Icingaweb2 with nginx and oauth2-proxy

ekartsonakis · April 11, 2023, 2:14pm

Hi dear community!

We are trying to make my icingaweb2 work with oauth2-proxy to have external google authentication for all icinga2 users. Here is our nginx configuration:

server {
  listen 80;
  server_name   icinga.mycompany.party;
  root          /usr/share/icingaweb2/public;
  access_log    /var/log/nginx/icingaweb2_access.log combined;
  error_log     /var/log/nginx/icingaweb2_error.log error;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    # proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    #fastcgi_param REMOTE_USER $remote_user;
    fastcgi_param REMOTE_USER $http_x_auth_request_email;
  }

  location ~ ^/icingaweb2/index\.php(.*)$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    #fastcgi_param REMOTE_USER $remote_user;
    fastcgi_param REMOTE_USER $http_x_auth_request_email;
   }

  location ~ ^/icingaweb2(.+)? {
    alias /usr/share/icingaweb2/public;
    index index.php;
    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
   }
}

Here is our oauth2-proxy.conf

redirect_url = "http://icinga.mycompany.party/oauth2/callback"
upstreams = [
    "http://127.0.0.1:80/"
]
logging_filename = "/var/log/oauth2_combined.log"
logging_max_size = 100
logging_max_age = 7
logging_local_time = true
logging_compress = false
standard_logging = true
standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
request_logging = true
request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
auth_logging = true
auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
pass_basic_auth = true
pass_user_headers = true
pass_host_header = true
email_domains = [
    "mycompany.com"
]
client_id = "*******************.apps.googleusercontent.com"
client_secret = "***********"
cookie_secret = "****************"
cookie_secure = false
cookie_domains = "icinga.mycompany.party"
cookie_expire = "24h"
cookie_refresh = "1h"

We see in oauth2-proxy log that google authentication works fine for a new session:

[2023/04/11 15:28:28] [internal_util.go:69] 200 GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.a0Ael9sCM1Vohb-NkbeU7qQ8lIIRm109a6BeowB_6SiH-7MvuWLnh5lvP3Lycfqj9o346oeSS_0j2XkB7RkvrmJexM_S83D7V2qZ... {
  "issued_to": "925248465022-0f7e5i4dk1lofag6v4j07odp5qf9lo0d.apps.googleusercontent.com",
  "audience": "925248465022-0f7e5i4dk1lofag6v4j07odp5qf9lo0d.apps.googleusercontent.com",
  "user_id": "103807394906423266811",
  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
  "expires_in": 3599,
  "email": "user@mycompany.com",
  "verified_email": true,
  "access_type": "offline"
}

We have configured icingaweb2 authentication.ini respectively with:

[auth_db]
backend    = "db"
resource   = "icingaweb"

[autologin]
backend    = "external"
strip_username_regexp = "/@mycompany\.com/"

The problem is that after a successful google authentication for a user, nginx always returns icinga login page :

http://icinga.mycompany.party/authentication/login

Even if we ask for another internal icinga page like the dashboard, it always redirects me to the same url above.
Seems that our nginx config is wrong (wrong locations ?) , but I cannot find where the issue is since I cannot find any other similar case on the web.

Thank you all in advance!

Icinga Web 2 version: 2.11.3
Used modules and their versions (System - About) : monitoring 2.11.3
Web browser used: chrome, edge, firefox
Icinga 2 version used (icinga2 --version) : r2.13.7-1
PHP version used (php --version) : 7.4.33
Server operating system and version: Debian Bullseye 11.6

ekartsonakis · May 3, 2023, 8:59am

Here is how it finally worked with internal help in case someone have the same case in the future:

Nginx config:

server {
  listen 80;
  server_name  icinga.mycompany.party;
  root          /usr/share/icingaweb2/public;
  access_log    /var/log/nginx/icingaweb2_access.log combined;
  error_log	/var/log/nginx/icingaweb2_error.log error;

  index index.html index.htm index.php;

  location /oauth2/ {
    proxy_pass http://localhost:4180;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host  $host;
  }

  location /internal-auth/ {
    internal;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host  $host;
    proxy_pass http://localhost:4180/;
  }

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  location ~ ^/icingaweb2/index\.php(.*)$ {
    auth_request /internal-auth/oauth2/auth;
    auth_request_set $http_x_auth_request_email $upstream_http_gap_auth;
    set_by_lua $escaped_request_uri 'return ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.request_uri)';
    error_page 401 = http://icinga.mycompany.party/oauth2/start?rd=$escaped_request_uri;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    fastcgi_param REMOTE_USER $http_x_auth_request_email;
  }

  location ~ ^/icingaweb2(.+)? {
    alias /usr/share/icingaweb2/public;
    index index.php;
    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
  }
}

oauth2-proxy conf:

upstreams = [
]
logging_filename = "/var/log/oauth2_combined.log"
logging_max_size = 100
logging_max_age = 7
logging_local_time = true
logging_compress = false
standard_logging = true
standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
request_logging = true
request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
auth_logging = true
auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
pass_basic_auth = true
pass_user_headers = true
pass_host_header = true
whitelist_domains = [
".mycompany.com",
".mycompany.party",
]
email_domains = [
    "mycompany.com"
]
client_id = “****************lofag6v4j07odp5qf9lo0d.apps.googleusercontent.com"
client_secret = "****************"
cookie_secret = "****************="
cookie_secure = false
cookie_domains = [
".mycompany.party",
]
cookie_expire = "24h"
cookie_refresh = "1h"
cookie_csrf_per_request = true
cookie_csrf_expire = "5m"
scope = "email"