Deploy Oauth2 Proxy to App Service container
Create App Service container
-
Create Azure App Service with a container.
-
Use DockerHub registry and enter
mcr.microsoft.com/dotnet/samples:aspnetapp
as image. -
Wait until the app has been created
-
Open a browser and navigate to https://{your-app-service-name}.azurewebsites.net/.
-
You need to wait for a while until the website is ready. Then you will find an example ASP.NET Core MVC app.
-
In App Service panel, you can go to
Deployment Center
and clickLogs
to check all logs while launching a container.
Set some App Service configurations
- Set these configurations to your app service:
- WEBSITE_WEBDEPLOY_USE_SCM
- true
- WEBSITES_PORT
- 8000
- OAUTH2_CLIENT_ID
- You Google Oauth2 client ID
- OAUTH2_CLIENT_SECRET
- You Google Oauth2 client ID
- OAUTH2_REDIRECT_URL
- You public website redirect URL
- It is usually in this pattern: https://{your-app-service-name}.azurewebsites.net/oauth2/callback
- WEBSITE_WEBDEPLOY_USE_SCM
Create Azure Container Register (ACR) and get a username and password
- Create a new Azure Container Registry with basic type.
- Wait until your container registry has been created.
- In container registry panel, go to Access keys and enable admin user.
- You will find username and password that we will for GitHub secret values.
Create GitHub secret
- Download a publish profile from your App Service on overview page and use it a value of AZURE_WEBAPP_CONTAINER_PUBLISH_PROFILE secret.
- Create these GitHub secrets with their values:
- AZURE_WEBAPP_CONTAINER_PUBLISH_PROFILE
- AZURE_WEBAPP_NAME
- It is your app service name only without https:// and azurewebsites.net.
- LOGIN_SERVER
- Full name of your Azure Container Register without schema e.g. {your-acr}-azurecr.io
- REGISTRY_USERNAME
- Your Azure Container Register username
- REGISTRY_PASSWORD
- Your Azure Container Register password
Create Google credential
Example of Dockerfile
FROM node:12-alpineEXPOSE 8000WORKDIR /app
RUN npm install -g serve
# Oauth2 Proxy executable binary fileCOPY oauth2-proxy ./RUN chmod +x oauth2-proxy
COPY ./entrypoint.sh ./RUN chmod +x entrypoint.sh
COPY ./oauth_config.cfg ./COPY ./index.html ./COPY ./authenticated-emails-list.txt ./
ENTRYPOINT ["./entrypoint.sh"]
- index.html can be other HTML source files for a website that you want to protect by Google authentication
Example of Oauth2 Proxy configuration
http_address = "0.0.0.0:8000"upstreams = [ "http://127.0.0.1:3000/"]
cookie_name = "_oauth2_proxy"# Generate with Python command# python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'cookie_secret = "OkbN-4LP4kf8kQoupLmkHA=="
# https://github.com/oauth2-proxy/oauth2-proxy/issues/73#issuecomment-466667048authenticated_emails_file = "./authenticated-emails-list.txt"
# https://github.com/bitly/oauth2_proxy/issues/492cookie_secure = false
Example of entrypoint.sh
#!/bin/sh
# Run two services./oauth2-proxy --client-id $OAUTH2_CLIENT_ID --client-secret $OAUTH2_CLIENT_SECRET --redirect-url $OAUTH2_REDIRECT_URL --config "./oauth_config.cfg" &serve --listen 3000 --no-clipboard .
Example of authenticated-emails-list.txt
- authenticated-emails-list.txt
Example of GitHubActions
name: Deploy protected content with Oauth2 Proxyon: push: branches: - main
env: NODE_VERSION: 12.x # Set the Node.js version to use. DOCKER_IMAGE: ${{ secrets.LOGIN_SERVER }}/oauth2-proxy:${{ github.sha }}
jobs: deploy: name: Deploy protected content # Find more virtual environment. https://github.com/actions/virtual-environments runs-on: ubuntu-18.04 steps: - name: Checkout the latest source code from the current branch uses: actions/checkout@v2
- uses: azure/docker-login@v1 with: login-server: ${{ secrets.LOGIN_SERVER }} username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Push a new image to container registry run: | docker build . --tag ${{ env.DOCKER_IMAGE }} docker push ${{ env.DOCKER_IMAGE }}
# Before downloading a publish profile, make sure that you have set WEBSITE_WEBDEPLOY_USE_SCM # in App Service Configuration to true # configure port number # https://docs.microsoft.com/en-us/azure/app-service/configure-custom-container?pivots=container-linux#configure-port-number # WEBSITES_PORT - uses: azure/webapps-deploy@v2 with: app-name: ${{ secrets.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_CONTAINER_PUBLISH_PROFILE }} images: ${{ env.DOCKER_IMAGE }}
Trigger GitHub Actions
- Go to GitHub Action tab and enable it
- Create new commit and push the project to the main branch
- Go to GitHub and check Actions tab and wait until all workflow jobs/steps are successful.
Update App Service to use an image from Azure Container Registry
- Go to App Service panel in Azure portal.
- Click
Deployment Center
and clickSettings
tab. - Change Registry source to
Azure Container Registry
. - Select your image and tag that built from GitHub Actions.
- Open a browser and navigate to your website https://{your-website-name}.azurewebsites.net/
- You should find Oauth2 Proxy protection on your home page.
- Log in with your allowed email in authenticated-emails-list.txt.
- After you have logged in with Google, you will be redirected to a home page and see a protected content.
Credit
- Sirinat Oam Paphatsirinatthi - KubeOps Skills