starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00

[PR #433] [MERGED] Add the ability to secure proxy hosts with OpenID Connect #3247

New issue

Closed

opened 2026-02-26 07:38:36 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 07:38:36 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/433
Author: @Subv
Created: 5/29/2020
Status: ✅ Merged
Merged: 6/8/2020
Merged by: @jc21

Base: openidc ← Head: oidc

📝 Commits (10+)

46a2911 Add UI tab for specifying OpenID Connect options for proxy hosts.
102571f Add database columns to store OpenID Connect information for Proxy Hosts.
a2992ae Use OpenResty instead of plain nginx to support OpenID Connect authorization.
69b56ae Add a field to specify a list of allowed emails when using OpenID Connect auth.
5a41fe9 Allow limiting OpenID Connect auth to a list of users.
8e1bfe5 Manually set the default values for the OpenID Connect columns.
4428b52 Fix conditionals in the liquid template for OpenID Connect conf.
878e164 Updated the docs to add a section about OpenID Connect
fe280a3 Use localized strings for the OpenID Connect texts.
9ee912b OpenIDC: Trigger the change event of the "restrict users" toggle when enabling/disabling oidc.

📊 Changes

15 files changed (+495 additions, -5 deletions)

View changed files

➕ backend/migrations/20200522113248_openid_connect.js (+48 -0)
➕ backend/migrations/20200522144240_openid_allowed_users.js (+40 -0)
➕ backend/migrations/20200523114256_openid_default_values.js (+36 -0)
📝 backend/models/proxy_host.js (+12 -1)
📝 backend/schema/definitions.json (+37 -0)
📝 backend/schema/endpoints/proxy-hosts.json (+96 -0)
➕ backend/templates/_openid_connect.conf (+47 -0)
📝 backend/templates/proxy_host.conf (+2 -0)
📝 docker/Dockerfile (+1 -1)
📝 docker/rootfs/etc/nginx/nginx.conf (+10 -0)
📝 docs/advanced-config/README.md (+23 -0)
📝 frontend/js/app/nginx/proxy/form.ejs (+66 -0)
📝 frontend/js/app/nginx/proxy/form.js (+59 -2)
📝 frontend/js/i18n/messages.json (+10 -1)
📝 frontend/js/models/proxy-host.js (+8 -0)

📄 Description

What is this?

This PR implements OpenID Connect authentication for proxy hosts using the lua-resty-openidc library, now that NPM uses OpenResty instead of vanilla nginx.

What is OpenID Connect?

OpenID Connect is an identity layer on top of OAuth2 that lets you do Single-Sign-On (SSO) using an identity provider (IdP) like Azure AD or KeyCloak.

How does this benefit me as an NPM user?

You will now be able to restrict access to your proxy hosts only to users who can successfully authenticate with the IdP. For example, only allow users in your Azure Active Directory to access your internal-tool.example.com subdomain.

Work in progress

I would like to ask for some help with the UI layout, it currently looks kind of out of place (screenshots below).

Future improvements

These are things that could be improved upon but will probably be added in a separate PR.

Allow specifying additional scopes for the auth request instead of hardcoding openid email profile.
Allow specifying extra id_token claims to pass to the backend application, or maybe simply forward the entire id_token.
[ ] Support manually specifying the OpenID Connect endpoints when the discovery endpoint is not known or does not exist.
Support other token auth methods, currently only client_secret_post and client_secret_basic.
[ ] Support public clients that do not require a client secret.
[ ] Add a visual indicator to the proxy lists to tell at a glance which hosts have OpenID Connect enabled.

How to use it

You will need a few things to get started with OpenID Connect:

A registered application with your identity provider, they will provide you with a Client ID and a Client Secret. Public OpenID Connect applications (without a client secret) are not yet supported.
A redirect URL to send the users to after they login with the identity provider, this can be any unused URL under the proxy host, like https://<proxy host url>/private/callback, the server will take care of capturing that URL and redirecting you to the proxy host root. You will need to add this URL to the list of allowed redirect URLs for the application you registered with your identity provider.
The well-known discovery endpoint of the identity provider you want to use, this is an URL usually with the form https://<provider URL>/.well-known/openid-configuration.

After you have all this you can proceed to configure the proxy host with OpenID Connect authentication.

You can also add some rudimentary access control through a list of allowed emails in case your identity provider doesn't let you do that, if this option is enabled, any email not on that list will be denied access to the proxied host.

The proxy adds some headers based on the authentication result from the identity provider:

X-OIDC-SUB: The subject identifier, according to the OpenID Coonect spec: A locally unique and never reassigned identifier within the Issuer for the End-User.
X-OIDC-EMAIL: The email of the user that logged in, as specified in the id_token returned from the identity provider. The same value that will be checked for the email whitelist.
X-OIDC-NAME: The user's name claim from the id_token, please note that not all id tokens necessarily contain this claim.

Screenshots

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/433 **Author:** [@Subv](https://github.com/Subv) **Created:** 5/29/2020 **Status:** ✅ Merged **Merged:** 6/8/2020 **Merged by:** [@jc21](https://github.com/jc21) **Base:** `openidc` ← **Head:** `oidc` --- ### 📝 Commits (10+) - [`46a2911`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/46a2911bad380123464db3eab76dffbc4beeda6e) Add UI tab for specifying OpenID Connect options for proxy hosts. - [`102571f`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/102571f7282416f933c1bb50b4bae471bbb2c289) Add database columns to store OpenID Connect information for Proxy Hosts. - [`a2992ae`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a2992aeedca22a8d0587d13c2723bc27ca82f266) Use OpenResty instead of plain nginx to support OpenID Connect authorization. - [`69b56ae`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/69b56ae73a08c9e1f6055ca500fe796a9f964ab2) Add a field to specify a list of allowed emails when using OpenID Connect auth. - [`5a41fe9`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/5a41fe9c860507b1886097e9a4651f07fae59f3a) Allow limiting OpenID Connect auth to a list of users. - [`8e1bfe5`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/8e1bfe59407b24342aa6035d05e886f93bc950c0) Manually set the default values for the OpenID Connect columns. - [`4428b52`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/4428b52864d216af983e624498421f72f72f45cf) Fix conditionals in the liquid template for OpenID Connect conf. - [`878e164`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/878e1649b32faa03db14079de37fa031c4ca5701) Updated the docs to add a section about OpenID Connect - [`fe280a3`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/fe280a3e1e8ec8e66f42459c9372c58c4a10598f) Use localized strings for the OpenID Connect texts. - [`9ee912b`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/9ee912be01e7f21bcf0f2358725d9d11cf195dfb) OpenIDC: Trigger the change event of the "restrict users" toggle when enabling/disabling oidc. ### 📊 Changes **15 files changed** (+495 additions, -5 deletions) <details> <summary>View changed files</summary> ➕ `backend/migrations/20200522113248_openid_connect.js` (+48 -0) ➕ `backend/migrations/20200522144240_openid_allowed_users.js` (+40 -0) ➕ `backend/migrations/20200523114256_openid_default_values.js` (+36 -0) 📝 `backend/models/proxy_host.js` (+12 -1) 📝 `backend/schema/definitions.json` (+37 -0) 📝 `backend/schema/endpoints/proxy-hosts.json` (+96 -0) ➕ `backend/templates/_openid_connect.conf` (+47 -0) 📝 `backend/templates/proxy_host.conf` (+2 -0) 📝 `docker/Dockerfile` (+1 -1) 📝 `docker/rootfs/etc/nginx/nginx.conf` (+10 -0) 📝 `docs/advanced-config/README.md` (+23 -0) 📝 `frontend/js/app/nginx/proxy/form.ejs` (+66 -0) 📝 `frontend/js/app/nginx/proxy/form.js` (+59 -2) 📝 `frontend/js/i18n/messages.json` (+10 -1) 📝 `frontend/js/models/proxy-host.js` (+8 -0) </details> ### 📄 Description ## What is this? This PR implements OpenID Connect authentication for proxy hosts using the [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) library, now that NPM uses [OpenResty](https://github.com/openresty/openresty) instead of vanilla nginx. ## What is OpenID Connect? OpenID Connect is an identity layer on top of OAuth2 that lets you do Single-Sign-On (SSO) using an identity provider (IdP) like Azure AD or KeyCloak. ## How does this benefit me as an NPM user? You will now be able to restrict access to your proxy hosts only to users who can successfully authenticate with the IdP. For example, only allow users in your Azure Active Directory to access your `internal-tool.example.com` subdomain. ## Work in progress I would like to ask for some help with the UI layout, it currently looks kind of out of place (screenshots below). ## Future improvements These are things that could be improved upon but will probably be added in a separate PR. - [ ] Allow specifying additional scopes for the auth request instead of hardcoding `openid email profile`. - [ ] Allow specifying extra `id_token` claims to pass to the backend application, or maybe simply forward the entire `id_token`. - [ ] Support manually specifying the OpenID Connect endpoints when the discovery endpoint is not known or does not exist. - [ ] Support other token auth methods, currently only `client_secret_post` and `client_secret_basic`. - [ ] Support public clients that do not require a client secret. - [ ] Add a visual indicator to the proxy lists to tell at a glance which hosts have OpenID Connect enabled. ## Related issues - #313 - #205 - #177 - #69 ## How to use it You will need a few things to get started with OpenID Connect: - A registered application with your identity provider, they will provide you with a `Client ID` and a `Client Secret`. Public OpenID Connect applications (without a client secret) **are not yet supported**. - A redirect URL to send the users to after they login with the identity provider, this can be any unused URL under the proxy host, like `https://<proxy host url>/private/callback`, the server will take care of capturing that URL and redirecting you to the proxy host root. You will need to add this URL to the list of allowed redirect URLs for the application you registered with your identity provider. - The well-known discovery endpoint of the identity provider you want to use, this is an URL usually with the form `https://<provider URL>/.well-known/openid-configuration`. After you have all this you can proceed to configure the proxy host with OpenID Connect authentication. You can also add some rudimentary access control through a list of allowed emails in case your identity provider doesn't let you do that, if this option is enabled, any email not on that list will be denied access to the proxied host. The proxy adds some headers based on the authentication result from the identity provider: - `X-OIDC-SUB`: The subject identifier, according to the OpenID Coonect spec: `A locally unique and never reassigned identifier within the Issuer for the End-User`. - `X-OIDC-EMAIL`: The email of the user that logged in, as specified in the `id_token` returned from the identity provider. The same value that will be checked for the email whitelist. - `X-OIDC-NAME`: The user's name claim from the `id_token`, please note that not all id tokens necessarily contain this claim. ## Screenshots ![image](https://user-images.githubusercontent.com/357072/83221402-5934db00-a13b-11ea-9b07-d54c40091efd.png) ![image](https://user-images.githubusercontent.com/357072/83221411-5f2abc00-a13b-11ea-876e-2027f495a8b3.png) <img width="495" alt="image" src="https://user-images.githubusercontent.com/357072/83229073-f51b1280-a14c-11ea-9c22-e3c056984d01.png"> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem

2026-02-26 07:38:36 +03:00

closed this issue
added the
pull-request
label

kerem referenced this issue

2026-02-26 08:31:31 +03:00

[PR #3247] Host should be $proxy_host, not $host #3673

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#3247

No description provided.

Rows
Columns