1---
2id: tls
3title: TLS Configuration
4---
5
6There are two recommended configurations.
7
81.  Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert-file=/path/to/cert.pem` and `--tls-key-file=/path/to/cert.key`.
9
10    The command line to run `oauth2-proxy` in this configuration would look like this:
11
12    ```bash
13    ./oauth2-proxy \
14        --email-domain="yourcompany.com"  \
15        --upstream=http://127.0.0.1:8080/ \
16        --tls-cert-file=/path/to/cert.pem \
17        --tls-key-file=/path/to/cert.key \
18        --cookie-secret=... \
19        --cookie-secure=true \
20        --provider=... \
21        --client-id=... \
22        --client-secret=...
23    ```
24
252.  Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
26
27    Because `oauth2-proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an
28    external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or
29    `--http-address="http://:4180"`.
30
31    Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2-proxy` on port `4180`.
32    `oauth2-proxy` will then authenticate requests for an upstream application. The external endpoint for this example
33    would be `https://internal.yourcompany.com/`.
34
35    An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
36    via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
37
38    ```
39    server {
40        listen 443 default ssl;
41        server_name internal.yourcompany.com;
42        ssl_certificate /path/to/cert.pem;
43        ssl_certificate_key /path/to/cert.key;
44        add_header Strict-Transport-Security max-age=2592000;
45
46        location / {
47            proxy_pass http://127.0.0.1:4180;
48            proxy_set_header Host $host;
49            proxy_set_header X-Real-IP $remote_addr;
50            proxy_set_header X-Scheme $scheme;
51            proxy_connect_timeout 1;
52            proxy_send_timeout 30;
53            proxy_read_timeout 30;
54        }
55    }
56    ```
57
58    The command line to run `oauth2-proxy` in this configuration would look like this:
59
60    ```bash
61    ./oauth2-proxy \
62       --email-domain="yourcompany.com"  \
63       --upstream=http://127.0.0.1:8080/ \
64       --cookie-secret=... \
65       --cookie-secure=true \
66       --provider=... \
67       --reverse-proxy=true \
68       --client-id=... \
69       --client-secret=...
70    ```
71