TLS should be enabled by default using lets encrypt via the ACME protocol.
Basically what caddy is doing (we currently have caddy in front of oauth2-proxy)
https://caddyserver.com/docs/automatic-https
Thanks - oauth2-proxy is fantastic!
Thanks 馃槉
I'm tempted to say this is a bit of scope creep from the core goals of the project.
I don't want to reinvent the wheel around this in lieu of other features when the primary platforms of OAuth2-Proxy (Kubernetes, cloud native, etc) have built in mechanisms already to get OAuth2-Proxy the keys/certs it needs pretty easily.
I hadn't really dug into ACME protocol myself though, so thanks for the reference. I'm happy to be convinced if my initial take on its benefits is off base.
I would also lean towards this being scope creep for the project.
While it would be nice to make it easy for people to run ACME themselves for acquiring certs directly in the proxy, there are solutions for this that can be used relatively easily with OAuth2 Proxy already (Eg certbot, cert-manager, caddy) and I would suggest it's better for users to use a combination of smaller focused projects than one big project that tries to do everything but likely does things less well as a result
It will not necessarily be a big effort if we use a ready-made library that implements this protocol,
https://go-acme.github.io/lego/usage/library/
Perhaps we should revisit this at the point where we introduce structured config. One of my concerns about this is the potential to add yet another 8 flags or so to provide all the configuration required to do this
There's going to be a pressure between wanting to add lots of features to oauth2_proxy, and those that want to use a minimally functional oauth2_proxy and consider extra unneeded features just security risks. I understand the former, but I'm usually in the latter category. I deploy in Kubernetes with Cert-Manager so there isn't any need for this feature in that environment.
Cert-Manager and Certbot are complicated code bases so I'd not recommend including it in oauth2_proxy except maybe as a compile in option. Perhaps two builds, one with certbot or a go-acme library embedded and one without? Or perhaps, just a good tutorial on how to deploy certbot with oauth2_proxy set to proxy to certbot?
Either way, it would be very appreciated to keep a build that has the minimum functionality to do oauth2_proxying in environments where that is the only function needed.