Spaces:
Running
Running
Upload 2 files
Browse files- oauth2-proxy.cfg +2 -12
- start.sh +34 -81
oauth2-proxy.cfg
CHANGED
|
@@ -21,18 +21,8 @@ cookie_expire = "168h"
|
|
| 21 |
# provider = "github" # Moved to command line arguments in start.sh
|
| 22 |
|
| 23 |
# Providers (Multi-provider support)
|
| 24 |
-
providers = [
|
| 25 |
-
|
| 26 |
-
provider = "github",
|
| 27 |
-
client_id = "GITHUB_CLIENT_ID_PLACEHOLDER",
|
| 28 |
-
client_secret = "GITHUB_CLIENT_SECRET_PLACEHOLDER"
|
| 29 |
-
},
|
| 30 |
-
{
|
| 31 |
-
provider = "google",
|
| 32 |
-
client_id = "GOOGLE_CLIENT_ID_PLACEHOLDER",
|
| 33 |
-
client_secret = "GOOGLE_CLIENT_SECRET_PLACEHOLDER"
|
| 34 |
-
}
|
| 35 |
-
]
|
| 36 |
|
| 37 |
# Upstreams
|
| 38 |
upstreams = [
|
|
|
|
| 21 |
# provider = "github" # Moved to command line arguments in start.sh
|
| 22 |
|
| 23 |
# Providers (Multi-provider support)
|
| 24 |
+
# providers = [ ... ] # Alpha config removed due to instability
|
| 25 |
+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 26 |
|
| 27 |
# Upstreams
|
| 28 |
upstreams = [
|
start.sh
CHANGED
|
@@ -74,94 +74,47 @@ else
|
|
| 74 |
fi
|
| 75 |
|
| 76 |
# 3. 启动 oauth2-proxy (本地监听 4180)
|
|
|
|
| 77 |
echo "Starting oauth2-proxy on 127.0.0.1:4180..."
|
| 78 |
|
| 79 |
-
# 动态生成多 Provider 配置文件
|
| 80 |
-
# oauth2-proxy v7.4+ 支持 alpha 配置,但为了稳定性,我们使用命令行参数方式,
|
| 81 |
-
# 但 oauth2-proxy 目前并不支持在一个实例中同时开启多个 provider。
|
| 82 |
-
#
|
| 83 |
-
# 然而,你的需求是"两个登录按钮"。这通常需要使用 Alpha 配置 (Structured Configuration) 或者多个 Proxy 实例。
|
| 84 |
-
# 考虑到 oauth2-proxy 的复杂性,最简单的方法是使用 --provider=oidc 并配置一个支持多源的 IdP (如 Dex)。
|
| 85 |
-
# 但我们不想引入 Dex。
|
| 86 |
-
#
|
| 87 |
-
# 重新审视 oauth2-proxy 文档,从 v7.4.0 开始支持多 providers 配置。
|
| 88 |
-
# 我们需要使用 alpha-config 格式。
|
| 89 |
-
# 必须使用 --alpha-config 参数指定配置文件,而不是 --config
|
| 90 |
-
|
| 91 |
-
cat <<EOF > /tmp/oauth2-proxy-alpha-config.yaml
|
| 92 |
-
server:
|
| 93 |
-
bindAddress: "127.0.0.1:4180"
|
| 94 |
-
|
| 95 |
-
injectRequestHeaders:
|
| 96 |
-
- name: X-Forwarded-User
|
| 97 |
-
values:
|
| 98 |
-
- claim: email
|
| 99 |
-
- name: X-Forwarded-Email
|
| 100 |
-
values:
|
| 101 |
-
- claim: email
|
| 102 |
-
- name: X-Forwarded-Preferred-Username
|
| 103 |
-
values:
|
| 104 |
-
- claim: preferred_username
|
| 105 |
-
|
| 106 |
-
providers:
|
| 107 |
-
EOF
|
| 108 |
-
|
| 109 |
-
# 如果配置了 GitHub
|
| 110 |
if [ -n "$GITHUB_CLIENT_ID" ] && [ -n "$GITHUB_CLIENT_SECRET" ]; then
|
| 111 |
-
echo "
|
| 112 |
-
|
| 113 |
-
|
| 114 |
-
|
| 115 |
-
|
| 116 |
-
|
| 117 |
-
|
| 118 |
-
|
| 119 |
-
|
| 120 |
-
|
| 121 |
-
#
|
| 122 |
-
|
|
|
|
|
|
|
|
|
|
| 123 |
fi
|
| 124 |
|
| 125 |
-
#
|
| 126 |
-
|
| 127 |
-
|
| 128 |
-
|
| 129 |
-
|
| 130 |
-
|
| 131 |
-
|
| 132 |
-
|
| 133 |
-
|
| 134 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 135 |
fi
|
| 136 |
|
| 137 |
-
#
|
| 138 |
-
|
| 139 |
-
upstreamConfig:
|
| 140 |
-
upstreams:
|
| 141 |
-
- id: openclaw
|
| 142 |
-
path: /
|
| 143 |
-
uri: http://127.0.0.1:18789
|
| 144 |
-
- id: terminal
|
| 145 |
-
path: /terminal/
|
| 146 |
-
uri: http://127.0.0.1:7681
|
| 147 |
-
|
| 148 |
-
session:
|
| 149 |
-
cookie:
|
| 150 |
-
secret: "$OAUTH2_PROXY_COOKIE_SECRET"
|
| 151 |
-
secure: true
|
| 152 |
-
httpOnly: true
|
| 153 |
-
expire: 168h
|
| 154 |
-
refresh: 1h
|
| 155 |
-
domains:
|
| 156 |
-
- "*"
|
| 157 |
-
EOF
|
| 158 |
-
|
| 159 |
-
|
| 160 |
-
# 启动 oauth2-proxy (使用 alpha-config)
|
| 161 |
-
echo "Starting oauth2-proxy with Alpha Configuration..."
|
| 162 |
-
oauth2-proxy \
|
| 163 |
-
--alpha-config=/tmp/oauth2-proxy-alpha-config.yaml \
|
| 164 |
-
2>&1 &
|
| 165 |
OAUTH2_PROXY_PID=$!
|
| 166 |
|
| 167 |
# 4. 健康检查与等待
|
|
|
|
| 74 |
fi
|
| 75 |
|
| 76 |
# 3. 启动 oauth2-proxy (本地监听 4180)
|
| 77 |
+
# 回退到稳定模式:根据环境变量智能选择单个 Provider
|
| 78 |
echo "Starting oauth2-proxy on 127.0.0.1:4180..."
|
| 79 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 80 |
if [ -n "$GITHUB_CLIENT_ID" ] && [ -n "$GITHUB_CLIENT_SECRET" ]; then
|
| 81 |
+
echo "Detected GITHUB_CLIENT_ID/SECRET. Using GitHub Provider."
|
| 82 |
+
export OAUTH2_PROXY_PROVIDER="github"
|
| 83 |
+
export OAUTH2_PROXY_CLIENT_ID="$GITHUB_CLIENT_ID"
|
| 84 |
+
export OAUTH2_PROXY_CLIENT_SECRET="$GITHUB_CLIENT_SECRET"
|
| 85 |
+
elif [ -n "$GOOGLE_CLIENT_ID" ] && [ -n "$GOOGLE_CLIENT_SECRET" ]; then
|
| 86 |
+
echo "Detected GOOGLE_CLIENT_ID/SECRET. Using Google Provider."
|
| 87 |
+
export OAUTH2_PROXY_PROVIDER="google"
|
| 88 |
+
export OAUTH2_PROXY_CLIENT_ID="$GOOGLE_CLIENT_ID"
|
| 89 |
+
export OAUTH2_PROXY_CLIENT_SECRET="$GOOGLE_CLIENT_SECRET"
|
| 90 |
+
else
|
| 91 |
+
# Fallback to defaults or generic variables
|
| 92 |
+
if [ -z "$OAUTH2_PROXY_PROVIDER" ]; then
|
| 93 |
+
export OAUTH2_PROXY_PROVIDER="github"
|
| 94 |
+
fi
|
| 95 |
+
echo "Using generic/default Provider: $OAUTH2_PROXY_PROVIDER"
|
| 96 |
fi
|
| 97 |
|
| 98 |
+
# 构建 oauth2-proxy 命令 (标准命令行模式)
|
| 99 |
+
CMD="oauth2-proxy \
|
| 100 |
+
--config=oauth2-proxy.cfg \
|
| 101 |
+
--provider=$OAUTH2_PROXY_PROVIDER \
|
| 102 |
+
--client-id=$OAUTH2_PROXY_CLIENT_ID \
|
| 103 |
+
--client-secret=$OAUTH2_PROXY_CLIENT_SECRET \
|
| 104 |
+
--cookie-secret=$OAUTH2_PROXY_COOKIE_SECRET \
|
| 105 |
+
--email-domain=* \
|
| 106 |
+
--upstream=http://127.0.0.1:18789 \
|
| 107 |
+
--http-address=127.0.0.1:4180 \
|
| 108 |
+
--authenticated-emails-file=$AUTH_FILE"
|
| 109 |
+
|
| 110 |
+
# 如果有 GitHub Users,追加参数
|
| 111 |
+
if [ -n "$GITHUB_USERS" ]; then
|
| 112 |
+
echo "Adding GitHub User whitelist: $GITHUB_USERS"
|
| 113 |
+
CMD="$CMD --github-user=$GITHUB_USERS"
|
| 114 |
fi
|
| 115 |
|
| 116 |
+
# 执行命令
|
| 117 |
+
$CMD 2>&1 &
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 118 |
OAUTH2_PROXY_PID=$!
|
| 119 |
|
| 120 |
# 4. 健康检查与等待
|