e9ca223cf8
Support auth-proxy on a subpath
2019-06-25 10:21:39 +10:00
329525bfa8
Allow auth-proxy to be fronted via a Unix socket
2019-06-10 08:09:35 +10:00
d40dcddbdd
Allow SRV deadline to be configured at runtime
2019-05-15 23:34:49 +10:00
ec51e302f5
Add support for optional request logging
...
This is a debugging aid only. The log format is not stable (and thus
not documented).
2019-05-15 21:26:35 +10:00
c7a9ad814b
Ensure we never inadvertently whitelist an empty path
...
I cannot recall whether the Path field is guaranteed to be non-empty on
incoming Request values. When in doubt...
2019-05-15 21:26:08 +10:00
c9b7e27f76
Move all this config gubbins out of the way
...
There are two distinct configuration layers in this program: the 'raw'
types provided by the flag library, and the 'validated' types we present
to the rest of the program. This commit makes that distinction clear,
and internalises some pointer muck from the flag lib.
2019-05-15 21:26:02 +10:00
bdc39cee65
Fix tests
2019-05-15 17:44:44 +10:00
33403daf59
Remove Ptr from identifier names
...
This is not customary in Go.
2019-05-15 17:13:43 +10:00
d776ff7bcd
Optionally use DNS SRV records for origin discovery
2019-05-07 04:48:50 +10:00
0a8b276f34
code block
2018-09-21 15:46:30 +08:00
8bea12489d
option for whitelisted /path
2018-09-21 15:01:59 +08:00
deaf725bae
COPY to WORKDIR
...
deduplication
2018-09-21 15:01:59 +08:00
3931d81e78
define a WORKDIR
...
makes cache invalidation less likely
2018-09-21 15:01:59 +08:00
e2d47b0eec
copy file after building OS
...
that way changes to the source don't invalidate the cached layers
2018-09-21 15:01:58 +08:00
2ed757a038
new build regime
...
* use new makefile style, remove two previous build systems
* multi-stage build for the tiniest image
2018-09-21 15:01:58 +08:00
70d2dbea5c
Update README.md
2018-09-14 14:50:06 +08:00
15ab750172
FIX: Discourse groups now are in CSV format instead of an array
2018-07-23 22:48:33 -03:00
017810a752
Allow HTTP timeouts to be configurable
2017-11-22 09:05:10 +11:00
50495bc774
Don't push if the build failed
2017-11-22 09:01:32 +11:00
21ea40b9ba
More logging for basic auth support
...
Need to know where things go missing.
2017-11-10 12:24:42 +11:00
385c8aea44
Guard LRU cache against concurrent access
...
Our chosen LRU cache implementation is not, as it turns out, thread-safe.
So we need to cast mutexes around to make everything OK.
2017-10-31 17:18:59 +11:00
66b01c7acb
Merge pull request #6 from discourse/groups_in_sso_provider
...
Feature: Group handling
2017-10-26 21:18:38 -02:00
8dcded8013
New build system
...
Far more idiomatic.
2017-10-27 09:52:38 +11:00
22af9254a5
Feature: Group handling
2017-10-25 23:32:39 -02:00
2d8643d593
Don't panic if we don't find the nonce in the cache
2017-10-03 20:33:47 +11:00
febc3e4fe3
Support HTTP basic auth, allow username header name to be overridden
...
The big change here is to support an extremely limited form of HTTP basic
auth, for those situations when you've got some subset of requests coming in
which still need to be authenticated, but which aren't able to authenticate
via Discourse SSO. The intended use case is for webhooks and other
progammatic access methods. It is not intended to be a fully-featured HTTP
auth method (it only supports a single hard-coded user/password pair), but
instead an extremely simplistic "escape hatch".
If you need more complicated HTTP authentication, you probably want to
install nginx and do some crazy proxy chain games. Best of luck to you with
that.
To avoid getting in the way of the SSO flow, the HTTP authentication is done
"blind"; that is, a `WWW-Authenticate` is never sent in a response. This
may get up the nose of some user agents, however I can't see an easy way
around this.
Allowing the username header to be changed to something other than
Discourse-User-Name is a smaller change, needed to support third-party
software which looks for the authenticated username in a different header,
and which can't be overridden without a hammer and chisel.
2017-09-28 11:09:18 +10:00
cace4f18a6
Merge pull request #5 from soulshake/admin-only
...
Add -allow-all flag to grant auth-proxy access to non-admin users
2017-06-08 09:53:12 -04:00
b604480504
Invert admin restriction UX
2017-06-07 19:49:18 +02:00
abe0105423
Only restrict auth-proxy access to admin users if -admin-only flag is provided
2017-06-07 18:48:56 +02:00
cfa7d348a2
Merge pull request #3 from tgxworld/google_code_has_shutdown
...
Replace package that is no longer available.
2016-07-19 11:21:04 +08:00
524f0697de
Replace package that is no longer available.
2016-07-14 15:07:55 +08:00
774ddf4690
Merge pull request #2 from riking/patch-1
...
Update README with new usage, fix the build
2015-08-25 10:17:40 +10:00
aeca145eda
Update README with new usage, fix the build
2015-08-24 17:10:27 -07:00
bae4b44a9c
Merge pull request #1 from riking/patch-1
...
Add support for separate listen & proxy URIs
2015-08-25 10:07:11 +10:00
1a8ea2e630
Add diagram to README
2015-08-24 17:05:33 -07:00
1535c15f98
Add support for separate listen & proxy URIs
2015-08-22 13:37:21 -07:00
253f4b5f89
update readme
2015-04-15 15:12:27 +10:00
d6a035edc2
correct demo
2015-04-15 15:10:58 +10:00
37ac0a471a
correct missing cookie behavior
2015-04-15 15:04:16 +10:00
8d5fcbee7f
wrapper scripts for launching
2015-04-15 14:55:20 +10:00
6171da53db
correct bug
2015-04-15 14:17:42 +10:00
7b3345bacc
improve build
2015-04-15 14:16:39 +10:00
31b15c200e
work in progress dockerfile
2015-04-15 14:02:33 +10:00
729f57a166
Initial commit
2015-04-15 13:18:18 +10:00
Matt Palmer
Saj Goonatilleke
Andrew Schleifer
Guo Xiang Tan
Rafael dos Santos Silva
Sam
AJ Bowen
Kane York