A reverse-proxy SSO gateway for RavenDB clusters.
0
A reverse-proxy SSO gateway for RavenDB clusters. It sits in front of one or more RavenDB clusters, authenticates users via Windows/Kerberos SSO or OAuth2 (GitHub, Google, Microsoft/Entra ID), and forwards requests to the correct cluster node over mTLS using a short-lived, per-user client certificate — so end users never need to manage RavenDB client certificates themselves.
Browser → nginx (443) → auth (Kerberos / OAuth2) → RavenDB cluster (mTLS, per-user cert)
Each configured cluster is reachable at <node-tag>-<cluster-alias>.<sso-domain>, e.g.
a-prod.sso.example.com.
Built from the main branch. Looking for bleeding-edge builds instead? See
ravendb/sso-nightly, built from dev.
| Tag | Description |
|---|---|
latest | Most recent stable release (multi-arch manifest). |
X.Y.Z (e.g. 1.4.2) | A specific stable release, pinned. Use this in production for reproducible deploys. |
Multi-arch manifests (latest, X.Y.Z) cover linux/amd64, linux/arm64, and linux/arm/v7; Docker pulls the
right one automatically. Single-arch tags (X.Y.Z-amd64, X.Y.Z-arm64, X.Y.Z-armv7) also exist on the registry but
are build artifacts, not meant to be pulled directly.
The image bundles nginx, oauth2-proxy, and the .NET auth service in a single container. The minimum you need is a public HTTPS URL, a TLS certificate, and at least one auth provider configured.
docker run -d --name ravendb-sso \
-p 443:443 -p 80:80 \
-e RAVENDBSSO_Url=https://sso.example.com \
-e RAVENDBSSO_CertificatePath=/app/certs/fullchain.pem \
-e RAVENDBSSO_CertificateKeyPath=/app/certs/privkey.pem \
-e RAVENDBSSO_Clusters='[{"ClusterUrls":["https://a.my-cluster.example.com"],"ClusterAlias":"my-cluster"}]' \
-e OAUTH2_PROXY_COOKIE_SECRET=$(openssl rand -hex 16) \
-e GITHUB_CLIENT_ID=... \
-e GITHUB_CLIENT_SECRET=... \
-v $(pwd)/certs:/app/certs \
-v $(pwd)/users-certs:/app/users-certs \
-v $(pwd)/logs:/app/logs \
ravendb/sso:latest
For a production-ready setup with automated Let's Encrypt certificate issuance/renewal via Route53, see the
example/ directory in the source repo — it ships a
complete docker-compose.yml pairing this image with a certbot sidecar.
services:
sso:
image: ravendb/sso:latest
container_name: ravendb-sso
restart: always
user: "10000:10000"
cap_add: [ NET_BIND_SERVICE ]
env_file: [ sso.env ]
ports: [ "80:80", "443:443" ]
volumes:
- ./config:/app/config
- ./certs:/app/certs
- ./logs:/app/logs
Settings are read from environment variables (prefix RAVENDBSSO_) or from a mounted /app/config/settings.json.
Env vars take precedence, and the two sources can be mixed.
| Variable | Required | Description |
|---|---|---|
RAVENDBSSO_Url | Yes | Public SSO URL, e.g. https://sso.example.com. Its host becomes the nginx server_name and the wildcard subdomain pattern for cluster proxying. |
RAVENDBSSO_Clusters | Yes* | JSON array of clusters to proxy: [{"ClusterUrls":["https://a.cluster.example.com"],"ClusterAlias":"my-cluster"}]. Can instead be set via settings.json. |
RAVENDBSSO_CertificatePath / RAVENDBSSO_CertificateKeyPath | No | TLS cert/key served by nginx. If omitted (or missing on disk), the container falls back to Let's Encrypt certs at /app/certs/live/<domain>/{fullchain,privkey}.pem. |
OAUTH2_PROXY_COOKIE_SECRET | Yes** | 16/24/32-character secret for oauth2-proxy session cookies. Generate with openssl rand -hex 16. Required if any OAuth provider below is configured. |
GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET / GITHUB_ALLOWED_ORGANIZATIONS | No | GitHub OAuth app + optional comma-separated org allowlist. |
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET / GOOGLE_ALLOWED_EMAIL_DOMAINS | No | Google OAuth app + optional comma-separated email-domain allowlist. |
MICROSOFT_CLIENT_ID / MICROSOFT_CLIENT_SECRET / MICROSOFT_TENANT / MICROSOFT_ALLOWED_TENANTS / MICROSOFT_ALLOWED_EMAIL_DOMAINS | No | Entra ID (Azure AD) app. MICROSOFT_TENANT is a tenant GUID, or common/organizations/consumers. |
KRB5_REALM | No | Kerberos realm (uppercase) for Windows/SPNEGO auth. Requires a keytab mounted at /etc/nginx/krb5.keytab. |
NGINX_RESOLVER | No | DNS resolver nginx uses for dynamic upstream resolution. Defaults to the host's /etc/resolv.conf nameserver, then 8.8.8.8. |
* Required unless clusters are supplied via settings.json instead.
** Only required once an OAuth provider is configured; Kerberos-only deployments don't need it.
At least one auth provider (Windows/Kerberos or one of the OAuth providers) must be configured for the gateway to be usable.
| Path | Purpose |
|---|---|
/app/config | Optional settings.json for file-based configuration. |
/app/certs | SSO TLS certificate (and Let's Encrypt live//archive/ layout if using the certbot sidecar), plus the generated JWT signing keypair (certs/jwt/). |
/app/users-certs | Persistent per-user RavenDB client certificates (short-lived, auto-regenerated as needed). Persist this to avoid regenerating certs on every restart. |
/app/logs | Application, nginx access/error, and audit logs. |
/etc/nginx/krb5.keytab | Kerberos keytab file, only needed for Windows/SPNEGO auth. |
443 — HTTPS (SSO login/UI/API and per-cluster reverse proxy)80 — HTTP, redirects to 443The container runs as a non-root user (10000:10000) and needs CAP_NET_BIND_SERVICE to bind ports 80/443 as that
user — pass --cap-add NET_BIND_SERVICE (or the Compose equivalent) when running it.
Full documentation, the security-hardened docker-compose.yml example (with Let's Encrypt automation), and issue
tracking live at github.com/ravendb/sso.
No tags have been pushed to this repository yet.