Same as How-to: Nginx-UI on OpenWRT without Building : linux (reddit.com). I'm planning out an ingress vm for proxmox based on OpenWRT. So, in my last post I setup a reverse proxy with a proxy manager. Let's make this ingress controller cooler by adding OAuth2-proxy.
In order to setup OAuth, we need an Identity Provider. For this, we will be installing Keycloak as well.
OAuth2-proxy requires golang and Keycloak requires OpenJDK 17. OpenWRT's package respository includes golang. However, it does not include Java. A further challenge is that OpenWRT uses musl instead of glibc for compiling, which means most OpenJDK builds are incompatible with OpenWRT.
Instead of musl, most OpenJDK builds use glibc, so we need to find a build of OpenJDK that doesn't. The good news is that OpenWRT is not the only platform built on musl. Alpine Linux also uses musl, so we can just use the Alpine builds (which are provided by Azul):
Since golang is already packaged for OpenWRT, you can just use the following to install it (pretty easy):
opkg update opkg install golang
For Java, we will have to install the tar.gz file manually.
cd $(mktemp -d) # update this command as needed # see: https://www.azul.com/downloads/?os=alpine-linux wget \ https://cdn.azul.com/zulu/bin/zulu22.28.91-ca-jre22.0.0-linux_musl_x64.tar.gz \ -O jre.tar.gz # extract mkdir jre tar -xzvf jre.tar.gz -C ./jre # install mkdir -p /usr/lib/jvm/ cp -R ./jre/zulu*/* /usr/lib/jvm/ # "chmod +x" any files as needed # - these are executable by default, but in case not, the binaries are in /usr/lib/jvm/bin # add to PATH echo PATH=\"/usr/lib/jvm/bin:$PATH\" >> /etc/profile export PATH="/usr/lib/jvm/bin:$PATH" java --version # Output: # openjdk 22 2024-03-19 # OpenJDK Runtime Environment Zulu22.28+91-CA (build 22+36) # OpenJDK 64-Bit Server VM Zulu22.28+91-CA (build 22+36, mixed mode, sharing)
This install portion will be pretty easy, because we can use go install. See https://github.com/oauth2-proxy/oauth2-proxy for additional methods.
go install github.com/oauth2-proxy/oauth2-proxy/v7@latest
OAuth2-Proxy will need an identity provider. For demonstration purposes, we will be using and installing keycloak directly on the router. However, you can use a different provider running on separate infrastructure, if you like. See https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/ for additional providers.
# opkg update && opkg install unzip # as needed cd $(mktemp -d) # update this command as needed # see: https://www.keycloak.org/downloads wget \ https://github.com/keycloak/keycloak/releases/download/24.0.2/keycloak-24.0.2.tar.gz \ -O keycloak.tar.gz # Since Keycloak is "optional-ware", we will install to it /opt mkdir -p /opt/keycloak cp -R ./jre/keycloak*/* /opt/keycloak # "chmod +x" any files as needed # - these are executable by default, but in case not, the binaries and scripts are in /opt/keycloak/bin # add to PATH (optional) # echo PATH=\"/opt/keycloak/bin:$PATH\" >> /etc/profile # export PATH="/opt/keycloak/bin:$PATH" /opt/keycloak/bin/kc.sh # Output should show you the Keycloak Cluster build command help info
The rest of this guide is going to be pretty straight forward and comparable to how you would setup OAuth2-proxy on other platforms.
Follow these guides for the initial setup of keycloak and the setup of OAuth2-proxy as a keycloak client:
Use this guide to setup TLS termination: https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/. If you setup Nginx UI in the previous post, skip down to the nginx section for an example config.