sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: correctly set X-User and X-Email headers on oauth2-proxy

Browse source
This commit is contained in:
oddlama 2024-06-09 22:08:13 +02:00
parent 03fdaa739f
commit a627d0c61e
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 32 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

17
hosts/sire/guests/ai.nix
View file

@ -37,13 +37,16 @@ in {
DO_NOT_TRACK = "True";
ANONYMIZED_TELEMETRY = "False";
WEBUI_AUTH = "False";
ENABLE_SIGNUP = "False";
ENABLE_COMMUNITY_SHARING = "False";
ENABLE_ADMIN_EXPORT = "False";
OLLAMA_BASE_URL = "http://localhost:11434";
TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
WEBUI_AUTH = "False";
ENABLE_SIGNUP = "False";
WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
DEFAULT_USER_ROLE = "user";
};
};
@ -51,7 +54,7 @@ in {
nodes.sentinel = {
services.nginx = {
upstreams.open-webui = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {};
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = {};
extraConfig = ''
zone open-webui 64k;
keepalive 2;
@ -63,14 +66,10 @@ in {
oauth2 = {
enable = true;
allowedGroups = ["access_openwebui"];
X-Email = "\${upstream_http_x_auth_request_email}@${config.repo.secrets.global.domains.personal}";
X-Email = "\${upstream_http_x_auth_request_preferred_username}@${config.repo.secrets.global.domains.personal}";
};
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = ''
client_max_body_size 512M;
allow 192.168.1.0/24;
allow fd10::/64;
deny all;
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://open-webui";

33
modules/oauth2-proxy.nix
View file

@ -53,25 +53,39 @@ in {
description = "The variable to set as X-User";
};
};
options.locations = mkOption {
type = types.attrsOf (types.submodule (locationSubmod: {
options.setOauth2Headers = mkOption {
type = types.bool;
default = true;
description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) {
extraConfig = ''
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
add_header Set-Cookie $auth_cookie;
'';
};
}));
};
config = mkIf config.oauth2.enable {
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;
# set variables that can be used in locations.<name>.extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."@redirectToAuth2ProxyLogin" = {
# FIXME: allow refering to another node for the portaldomain
setOauth2Headers = false;
return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
@ -79,6 +93,7 @@ in {
};
locations."= /oauth2/auth" = {
setOauth2Headers = false;
proxyPass =
"http://oauth2-proxy/oauth2/auth"
+ optionalString (config.oauth2.allowedGroups != [])
@ -87,10 +102,10 @@ in {
auth_request off;
internal;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};