oauth2-proxy: Connection-refused on local setup

Question

I am setting up oauth2-proxy (https://github.com/oauth2-proxy/oauth2-proxy) in front of another application which cannot provide A&A by it's own.

• Keycloak-OIDC provider is configured for identity management,
• In the final state the app will run on K8s as a pod sidecar that should add authentication to the app container in the pod. But I think this does not matter at the moment,
• At the moment all if it is configured to run on localhost.

The "experiment" is running on top of a docker-compose file:

version: "3.7"
services:
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
    ports:
      - 4180:4180
    environment:
      OAUTH2_PROXY_PROVIDER: keycloak-oidc
      OAUTH2_PROXY_CLIENT_ID: changeme
      OAUTH2_PROXY_CLIENT_SECRET: changeme
      OAUTH2_PROXY_OIDC_ISSUER_URL: https://<keycloak-host>/auth/realms/operations
      OAUTH2_PROXY_UPSTREAMS: "http://localhost:4440"
      OAUTH2_PROXY_COOKIE_SECRET: q_6A1CtSYFi-GK9crHCKszRxQ2g9op7-DZ6ShUbzoyc=
      OAUTH2_PROXY_COOKIE_DOMAINN: "http://localhost:4180"
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
      OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY: "true"
      OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true"
      OAUTH2_PROXY_ERRORS_TO_INFO_LOG: "true"
      OAUTH2_PROXY_REDIRECT_URL: "http://localhost:4180/oauth2/callback"
      OAUTH2_PROXY_HTTP_ADDRESS: http://:4180
  whoami:
    image: containous/whoami
    ports:
      - 4440:80

Whenever I issue a call to http://localhost:4180/, I am able to authenticate myself at the Keycloak IDP. Unfortunately, the oauth2-proxy is not able to forward the traffic afterwards to my configured upstream app, stating Connection refused. No TLS setup is involved.

Logs:

Docker Compose is now in the Docker CLI, try `docker compose up`

Starting oauth2-proxy_whoami_1       ... done
Starting oauth2-proxy_oauth2-proxy_1 ... done
Attaching to oauth2-proxy_whoami_1, oauth2-proxy_oauth2-proxy_1
whoami_1        | Starting up on port 80
oauth2-proxy_1  | [2021/10/29 12:36:08] [proxy.go:89] mapping path "/" => upstream "http://localhost:4440"
oauth2-proxy_1  | [2021/10/29 12:36:08] [oauthproxy.go:148] OAuthProxy configured for Keycloak OIDC Client ID: changeme
oauth2-proxy_1  | [2021/10/29 12:36:08] [oauthproxy.go:154] Cookie settings: name:_oauth2_proxy secure(https):false httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled
oauth2-proxy_1  | [2021/10/29 12:36:13] [error_page.go:93] Error proxying to upstream server: dial tcp 127.0.0.1:4440: connect: connection refused
oauth2-proxy_1  | 172.22.0.1 - ae2cb8ba-e1d5-4664-8ba7-6c42e1795235 - <mymail> [2021/10/29 12:36:13] localhost:4180 GET / "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36" 502 2303 0.011

When I do access ´http://localhost:4440` directly everything works fine.

Thanks for any helping hand/ comment.

Answer 1

Please try:

OAUTH2_PROXY_UPSTREAMS: "http://whoami"