From f22bf3c563765aec8bef547cd05d85b84c4a06a8 Mon Sep 17 00:00:00 2001
From: jlssmt <jls.smt@gmail.com>
Date: Sat, 23 Aug 2025 15:57:35 +0200
Subject: [PATCH] add oauth2-proxy

---
 .../nginx/oauth2-proxy-location.conf.sample   | 41 +++++++++++++++++++
 .../nginx/oauth2-proxy-server.conf.sample     | 29 +++++++++++++
 .../nginx/site-confs/default.conf.sample      | 20 ++++++++-
 .../s6-overlay/s6-rc.d/init-swag-config/run   |  8 ++++
 4 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 root/defaults/nginx/oauth2-proxy-location.conf.sample
 create mode 100644 root/defaults/nginx/oauth2-proxy-server.conf.sample

diff --git a/root/defaults/nginx/oauth2-proxy-location.conf.sample b/root/defaults/nginx/oauth2-proxy-location.conf.sample
new file mode 100644
index 00000000..9ad9bf0b
--- /dev/null
+++ b/root/defaults/nginx/oauth2-proxy-location.conf.sample
@@ -0,0 +1,41 @@
+## Version 2025/08/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/oauth2-proxy-location.conf.sample
+# Make sure that your oauth2-proxy container is in the same user defined bridge network and is named oauth2-proxy
+
+auth_request /oauth2/auth;
+error_page 401 =302 /oauth2/sign_in;
+
+# pass information via X-User and X-Email headers to backend,
+# requires running with --set-xauthrequest flag
+auth_request_set $user   $upstream_http_x_auth_request_user;
+auth_request_set $email  $upstream_http_x_auth_request_email;
+auth_request_set $groups  $upstream_http_x_auth_request_groups;
+proxy_set_header X-User  $user;
+proxy_set_header X-Email $email;
+proxy_set_header X-Groups $groups;
+
+# if you enabled --pass-access-token, this will pass the token to the backend
+auth_request_set $token  $upstream_http_x_auth_request_access_token;
+proxy_set_header X-Access-Token $token;
+
+# if you enabled --cookie-refresh, this is needed for it to work with auth_request
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $auth_cookie;
+
+# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
+# limit and so the OAuth2 Proxy splits these into multiple parts.
+# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
+# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
+auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
+
+# Extract the Cookie attributes from the first Set-Cookie header and append them
+# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
+if ($auth_cookie ~* "(; .*)") {
+    set $auth_cookie_name_0 $auth_cookie;
+    set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
+}
+
+# Send both Set-Cookie headers now if there was a second part
+if ($auth_cookie_name_upstream_1) {
+    add_header Set-Cookie $auth_cookie_name_0;
+    add_header Set-Cookie $auth_cookie_name_1;
+}
diff --git a/root/defaults/nginx/oauth2-proxy-server.conf.sample b/root/defaults/nginx/oauth2-proxy-server.conf.sample
new file mode 100644
index 00000000..809a7979
--- /dev/null
+++ b/root/defaults/nginx/oauth2-proxy-server.conf.sample
@@ -0,0 +1,29 @@
+## Version 2025/08/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/oauth2-proxy-server.conf.sample
+# Make sure that your oauth2-proxy container is in the same user defined bridge network and is named oauth2-proxy
+
+location /oauth2/ {
+    include /config/nginx/resolver.conf;
+    set $upstream_oauth2_proxy oauth2-proxy;
+    proxy_pass       http://$upstream_oauth2_proxy:4180;
+
+    proxy_set_header Host                    $host;
+    proxy_set_header X-Real-IP               $remote_addr;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+    # or, if you are handling multiple domains:
+    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+}
+
+location = /oauth2/auth {
+    internal;
+
+    include /config/nginx/resolver.conf;
+    set $upstream_oauth2_proxy oauth2-proxy;
+    proxy_pass       http://$upstream_oauth2_proxy:4180;
+
+    proxy_set_header Host             $host;
+    proxy_set_header X-Real-IP        $remote_addr;
+    proxy_set_header X-Forwarded-Uri  $request_uri;
+    # nginx auth_request includes headers but not body
+    proxy_set_header Content-Length   "";
+    proxy_pass_request_body           off;
+}
diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index e2404967..7b15637e 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2025/07/18 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2025/08/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
 # redirect all traffic to https
 server {
@@ -36,6 +36,12 @@ server {
     # enable for Authentik (requires authentik-location.conf in the location block)
     #include /config/nginx/authentik-server.conf;
 
+    # enable for OAuth2 Proxy (requires oauth2-proxy-location.conf in the location block)
+    #include /config/nginx/oauth2-proxy-server.conf;
+
+    # enable for Tinyauth (requires tinyauth-location.conf in the location block)
+    #include /config/nginx/tinyauth-server.conf;
+
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -50,6 +56,12 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
+        # enable for OAuth2 Proxy (requires oauth2-proxy-server.conf in the server block)
+        #include /config/nginx/oauth2-proxy-location.conf;
+
+        # enable for Tinyauth (requires tinyauth-server.conf in the server block)
+        #include /config/nginx/tinyauth-location.conf;
+
         try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
     }
 
@@ -67,6 +79,12 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
+        # enable for OAuth2 Proxy (requires oauth2-proxy-server.conf in the server block)
+        #include /config/nginx/oauth2-proxy-location.conf;
+
+        # enable for Tinyauth (requires tinyauth-server.conf in the server block)
+        #include /config/nginx/tinyauth-location.conf;
+
         fastcgi_split_path_info ^(.+\.php)(.*)$;
         if (!-f $document_root$fastcgi_script_name) { return 404; }
         fastcgi_pass 127.0.0.1:9000;
diff --git a/root/etc/s6-overlay/s6-rc.d/init-swag-config/run b/root/etc/s6-overlay/s6-rc.d/init-swag-config/run
index b28d279b..1616b6a1 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-swag-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-swag-config/run
@@ -30,6 +30,14 @@ if [[ ! -f /config/nginx/tinyauth-server.conf ]]; then
     cp /defaults/nginx/tinyauth-server.conf.sample /config/nginx/tinyauth-server.conf
 fi
 
+# copy oauth2-proxy config files if they don't exist
+if [[ ! -f /config/nginx/oauth2-proxy-location.conf ]]; then
+    cp /defaults/nginx/oauth2-proxy-location.conf.sample /config/nginx/oauth2-proxy-location.conf
+fi
+if [[ ! -f /config/nginx/oauth2-proxy-server.conf ]]; then
+    cp /defaults/nginx/oauth2-proxy-server.conf.sample /config/nginx/oauth2-proxy-server.conf
+fi
+
 # copy old ldap config file to new location
 if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then
     cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf