Healthchecks

Enable OIDC for Healthchecks monitoring

Requirements

Healthchecks.io container self hosted on Docker
oauth2-proxy reverse proxy container for authentication
Reverse proxy with SSL termination at the edge (HTTPS)

Pocket ID Setup

Create a new OIDC client (example: healthchecks)
Enable the PKCE checkmark for maximum security
Copy the Client ID and Client Secret for use below
The Callback URL will be automatically populated at first login (Pocket v.1.2.0+)

Configure oauth2-proxy

In the same docker-compose.yml you use for Healthchecks:

Add a new oauth2-proxy container under the services: section with the following config:

oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy restart: unless-stopped command: --config /oauth2-proxy.cfg volumes: - ./oauth2-proxy.cfg:/oauth2-proxy.cfg ports: - 1234:4180
Add the following to the Healthchecks environment: section:

- REMOTE_USER_HEADER=HTTP_X_FORWARDED_EMAIL
Comment out the ports: section on Healthchecks, so that oauth2-proxy picks up the authentication request instead of Healthchecks directly.
Create a file beside docker-compose.yml called oauth2-proxy.cfg with the following config. Make sure to update with your own Client ID, Client Secret, and Pocket ID URL:

provider_display_name="Pocket ID" provider="oidc" oidc_issuer_url="<<Pocket ID URL>>" client_id="<<Client ID>>" client_secret="<<Client Secret>>" cookie_secret="xxx" # generate with: openssl rand -base64 32 | tr -- '+/' '-_' upstreams="http://healthchecks:8000" # internal port code_challenge_method="S256" # PKCE challenges plain or S256 skip_auth_routes = [".*/ping", ".*/api", ".*/badge"] reverse_proxy = true scope = "openid email profile groups" cookie_expire="0" # seconds, 0 for session cookie_name="__Host-oauth2-proxy" # or __Secure-oauth2-proxy (less secure) cookie_secure="true" email_domains = ["*"] http_address="0.0.0.0:4180" insecure_oidc_allow_unverified_email = "true"
Update your public facing edge reverse proxy config (Caddy, Nginx, etc.) to forward https://hc.domain.com to port 1234 (the external port for the oauth2-proxy)
Restart the entire stack with

docker compose down docker compose pull docker compose up -d

You can now login to Healthchecks with Pocket ID.

Example full stack

---
services:
  healthchecks:
    image: healthchecks/healthchecks:latest
    environment:
      - ALLOWED_HOSTS=hc.example.com
      - DB=sqlite
      - DB_NAME=/data/hc.sqlite
      - SECRET_KEY=${SECRET_KEY}
      - SITE_ROOT=https://hc.example.com
      - PING_EMAIL_DOMAIN=hc.example.com
      - REGISTRATION_OPEN=False
      - SITE_NAME=Healthchecks
      - RP_ID=hc.example.com
      - REMOTE_USER_HEADER=HTTP_X_FORWARDED_EMAIL
    volumes:
      - ./data:/data
    restart: unless-stopped
    # ports:
    #   - 8000:8000
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    restart: unless-stopped
    command: --config /oauth2-proxy.cfg
    volumes:
      - ./oauth2-proxy.cfg:/oauth2-proxy.cfg
    ports:
      - 1234:4180

Help improve this page

Edit this page on GitHub