1--- 2id: tls 3title: TLS Configuration 4--- 5 6There are two recommended configurations. 7 81. Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert-file=/path/to/cert.pem` and `--tls-key-file=/path/to/cert.key`. 9 10 The command line to run `oauth2-proxy` in this configuration would look like this: 11 12 ```bash 13 ./oauth2-proxy \ 14 --email-domain="yourcompany.com" \ 15 --upstream=http://127.0.0.1:8080/ \ 16 --tls-cert-file=/path/to/cert.pem \ 17 --tls-key-file=/path/to/cert.key \ 18 --cookie-secret=... \ 19 --cookie-secure=true \ 20 --provider=... \ 21 --client-id=... \ 22 --client-secret=... 23 ``` 24 252. Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or .... 26 27 Because `oauth2-proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an 28 external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or 29 `--http-address="http://:4180"`. 30 31 Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2-proxy` on port `4180`. 32 `oauth2-proxy` will then authenticate requests for an upstream application. The external endpoint for this example 33 would be `https://internal.yourcompany.com/`. 34 35 An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL 36 via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security): 37 38 ``` 39 server { 40 listen 443 default ssl; 41 server_name internal.yourcompany.com; 42 ssl_certificate /path/to/cert.pem; 43 ssl_certificate_key /path/to/cert.key; 44 add_header Strict-Transport-Security max-age=2592000; 45 46 location / { 47 proxy_pass http://127.0.0.1:4180; 48 proxy_set_header Host $host; 49 proxy_set_header X-Real-IP $remote_addr; 50 proxy_set_header X-Scheme $scheme; 51 proxy_connect_timeout 1; 52 proxy_send_timeout 30; 53 proxy_read_timeout 30; 54 } 55 } 56 ``` 57 58 The command line to run `oauth2-proxy` in this configuration would look like this: 59 60 ```bash 61 ./oauth2-proxy \ 62 --email-domain="yourcompany.com" \ 63 --upstream=http://127.0.0.1:8080/ \ 64 --cookie-secret=... \ 65 --cookie-secure=true \ 66 --provider=... \ 67 --reverse-proxy=true \ 68 --client-id=... \ 69 --client-secret=... 70 ``` 71