Last active
April 7, 2020 00:40
-
-
Save mvanderlee/2dba10f1ed6c869630eab27847bc2d12 to your computer and use it in GitHub Desktop.
Ory Oathkeeper Integration with Traefik
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - id: rule1 | |
| match: | |
| url: <.*>/api/auth/users | |
| methods: ["GET"] | |
| authenticators: | |
| - handler: noop | |
| authorizer: | |
| handler: allow | |
| mutators: | |
| - handler: noop | |
| - id: rule2 | |
| match: | |
| url: <.*>/api/auth/users | |
| methods: ["POST"] | |
| authenticators: | |
| - handler: noop | |
| authorizer: | |
| handler: deny | |
| mutators: | |
| - handler: noop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3.7' | |
| services: | |
| # PROXY | |
| traefik: | |
| image: traefik:1.7 | |
| networks: | |
| - traefik | |
| ports: | |
| - 80:80 | |
| - 8080:8080 | |
| volumes: | |
| - ./traefik.toml:/traefik.toml | |
| - /var/run/docker.sock:/var/run/docker.sock | |
| # AUTH | |
| keto-postgres: | |
| image: postgres:11.4 | |
| networks: | |
| - traefik | |
| ports: | |
| - 5432 | |
| environment: | |
| POSTGRES_PASSWORD: password | |
| POSTGRES_USER: keto | |
| POSTGRES_DB: keto | |
| labels: | |
| traefik.enable: true | |
| oathkeeper: | |
| # Build this by executing `make docker` on https://github.com/mvanderlee/oathkeeper/tree/traefik-auth-forward | |
| image: oryd/oathkeeper:dev | |
| networks: | |
| - traefik | |
| ports: | |
| # - 4455:4455 # Proxy | |
| - 4456:4456 # Api | |
| volumes: | |
| - ./access_rules.yml:/access_rules.yml | |
| - ./oathkeeper.yml:/oathkeeper.yml | |
| command: | |
| - "serve" | |
| - "-c" | |
| - "/oathkeeper.yml" | |
| labels: | |
| - traefik.enable=true | |
| - traefik.frontend.rule=Host:oathkeeper | |
| keto: | |
| image: oryd/keto:v0.3 | |
| networks: | |
| - traefik | |
| ports: | |
| - 4466:4466 | |
| environment: | |
| DSN: postgres://keto:password@keto-postgres:5432/keto?sslmode=disable | |
| labels: | |
| - traefik.enable=true | |
| - traefik.frontend.rule=Host:keto | |
| ### MY CUSTOM SERVICE | |
| postgres: | |
| image: postgres:11.4 | |
| ports: | |
| - 5430:5432 | |
| environment: | |
| POSTGRES_PASSWORD: password | |
| POSTGRES_USER: techlock | |
| POSTGRES_DB: auth_service | |
| labels: | |
| traefik.enable: true | |
| auth-api: | |
| image: auth-service:local | |
| networks: | |
| - traefik | |
| ports: | |
| - 5000 | |
| environment: | |
| FLASK_SQLALCHEMY_DATABASE_URI: 'postgresql://test:password@postgres:5432/auth_service' | |
| labels: | |
| traefik.enable: true | |
| traefik.frontend.rule: PathPrefixStrip:/api/auth; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## ORY Oathkeeper Configuration | |
| serve: | |
| api: | |
| port: 4456 | |
| proxy: | |
| port: 4455 | |
| access_rules: | |
| repositories: | |
| - file:///access_rules.yml | |
| authenticators: | |
| anonymous: | |
| enabled: true | |
| config: | |
| subject: guest | |
| noop: | |
| enabled: true | |
| unauthorized: | |
| enabled: true | |
| cookie_session: | |
| enabled: false | |
| jwt: | |
| enabled: false | |
| # jwks_urls: '' | |
| # scope_strategy: none | |
| authorizers: | |
| allow: | |
| enabled: true | |
| deny: | |
| enabled: true | |
| keto_engine_acp_ory: | |
| enabled: true | |
| base_url: http://keto/ | |
| mutators: | |
| noop: | |
| enabled: true | |
| cookie: | |
| enabled: false | |
| header: | |
| enabled: true | |
| id_token: | |
| enabled: false | |
| # issuer_url: '' | |
| # jwks_url: '' | |
| ttl: 30s | |
| log: | |
| level: debug | |
| format: text # or json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################ | |
| # API and dashboard configuration | |
| ################################################################ | |
| [api] | |
| ################################################################ | |
| # Docker configuration backend | |
| ################################################################ | |
| [docker] | |
| domain = "docker.local" | |
| watch = true | |
| exposedByDefault = false | |
| ################################################################ | |
| # Entry Points | |
| ################################################################ | |
| [entryPoints] | |
| [entryPoints.http] | |
| address = ":80" | |
| # compress = true | |
| # [entryPoints.http.redirect] | |
| # regex = "^/api/(.*)" | |
| # replacement = "/$1" | |
| [entryPoints.http.auth.forward] | |
| address = "http://oathkeeper:4456/auth_forward" | |
| # authResponseHeaders = ["X-Forwarded-User"] | |
| ################################################################ | |
| # Logs | |
| ################################################################ | |
| [traefikLog] | |
| format = "common" | |
| [accessLog] | |
| format = "common" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment