fnkr/.gitignore Secret

## .gitignore
/.idea/
/*.mod
/*.pp
/traefik_var/

## README.md

      
    Raw
  

              README.md
            
          
    Traefik + pusher/oauth2_proxy

Quick facts:

docker-compose stack
selinux policy included (see traefik.te and Makefile)
Traefik v2.0
GitHub login provider
Let's Encrypt (staging) certificate provider
ACME dns-01 challenge through Cloudflare

Some things are weird because I had to work-around Traefik bugs/inconveniences.
For example, I had to enable Traefik for the oauth2proxy container and specify a Host() rule,
otherwise it wouldn't work.
(That's why there is a Host() and a Path() rule for the oauth2proxy container,
the Path() rule is the one that is actually being used.)
Also if you want to use wildcard certificates, you'll have to configure the certificate for one container,
restart the container, let Traefik fetch the certificate,
configure the wildcard certificate for all containers, and restart the whole stack.
If you don't do it like this Traefik will attempt to retrieve one wildcard certificate per container.
One process will clear the ACME challenge set by another process (they all run simultaneously)
and this will cause all processes/challenges to fail.
Oh, and there is a bug. People get logged out, usually after a few minutes.
At some point the server sends a response that clears the oauth2proxy cookie.
I could not yet figure out why.
Cookie refresh time is set to 1 hour, expire time is set to 4 weeks.
Please let me know if you fix it.
Feel free to comment if you have any question.

  
## authproxy.env
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=

## docker-compose.yaml
version: '3.6'
services:
  whoami:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.services.whoami.loadbalancer.server.port=80
      - traefik.http.routers.whoami_https.entrypoints=https
      - traefik.http.routers.whoami_https.rule=Host(`whoami.example.com`)
      - traefik.http.routers.whoami_https.tls.certResolver=letsencrypt
      - traefik.http.routers.whoami_https.middlewares=authproxy_signin,authproxy_verify
      #- traefik.http.routers.whoami_https.tls.domains[0].main=example.com
      #- traefik.http.routers.whoami_https.tls.domains[0].sans=*.example.com
      - traefik.http.routers.whoami_http.entrypoints=http
      - traefik.http.routers.whoami_http.middlewares=enforce-https@file
      - traefik.http.routers.whoami_http.rule=Host(`whoami.example.com`)
  authproxy:
    image: quay.io/pusher/oauth2_proxy
    command:
      - --http-address=0.0.0.0:4180
      - --provider=github
      - --email-domain=*
      - --set-xauthrequest
      - --cookie-expire=672h
      - --cookie-refresh=1h
      - --cookie-secure=true
      - --cookie-httponly=true
      - --request-logging=false
    labels:
      - traefik.enable=true
      - traefik.http.services.authproxy.loadbalancer.server.port=4180
      - traefik.http.middlewares.authproxy_verify.forwardAuth.address=http://authproxy:4180/oauth2/auth
      - traefik.http.middlewares.authproxy_verify.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email
      - traefik.http.middlewares.authproxy_signin.errors.status=401
      - traefik.http.middlewares.authproxy_signin.errors.service=authproxy@docker
      - traefik.http.middlewares.authproxy_signin.errors.query=/oauth2/sign_in
      - traefik.http.routers.authproxy_https.entrypoints=https
      - traefik.http.routers.authproxy_https.rule=Host(`whoami-authproxy.example.com`) || PathPrefix(`/oauth2`)
      - traefik.http.routers.authproxy_https.tls.certResolver=letsencrypt
      #- traefik.http.routers.authproxy_https.tls.domains[0].main=example.com
      #- traefik.http.routers.authproxy_https.tls.domains[0].sans=*.example.com
    env_file:
      - ./authproxy.env
  traefik:
    image: traefik:v2.0
    volumes:
      - ./traefik.yaml:/etc/traefik/traefik.yaml:Z
      - ./traefik_file.yaml:/etc/traefik/conf.d/traefik.yaml:Z
      - ./traefik_var:/var/traefik:Z
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80
      - 443:443
    command:
      - --configFile=/etc/traefik/traefik.toml
    env_file:
      - ./traefik.env
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik_https.service=api@internal
      - traefik.http.routers.traefik_https.entrypoints=https
      - traefik.http.routers.traefik_https.rule=Host(`whoami-traefik.example.com`)
      - traefik.http.routers.traefik_https.tls.certResolver=letsencrypt
      #- traefik.http.routers.traefik_https.tls.domains[0].main=example.com
      #- traefik.http.routers.traefik_https.tls.domains[0].sans=*.example.com
      - traefik.http.routers.traefik_http.service=api@internal
      - traefik.http.routers.traefik_http.entrypoints=http
      - traefik.http.routers.traefik_http.middlewares=enforce-https@file
      - traefik.http.routers.traefik_http.rule=Host(`whoami-traefik.example.com`)

## github-app-example.png

      
    Raw
  

              github-app-example.png
            
          
## Makefile
.PHONY: all

traefik.mod:
	checkmodule -M -m -o traefik.mod traefik.te

traefik.pp:
	semodule_package -o traefik.pp -m traefik.mod

install:
	sudo semodule -i traefik.pp

remove:
	sudo semodule -r traefik

all: traefik.mod traefik.pp install

## traefik.env
CF_API_EMAIL=
CF_API_KEY=

## traefik.te
module traefik 1.0;

require {
	type container_t;
	type container_runtime_t;
	class unix_stream_socket connectto;
}

#============= container_t ==============
allow container_t container_runtime_t:unix_stream_socket connectto;

## traefik.yaml
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/conf.d
api:
  insecure: true
  dashboard: true
certificatesResolvers:
  letsencrypt:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: letsencrypt@example.com
      storage: /var/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10
        resolvers:
          - "[2606:4700:4700::1111]:53"
          - "[2606:4700:4700::1001]:53"
          - "1.1.1.1:53"
          - "1.0.0.1:53"
log:
  level: DEBUG

## traefik_file.yaml
http:
  middlewares:
    enforce-https:
      redirectScheme:
        scheme: https
        permanent: true
    authentication:
      basicAuth:
        users:
          # htpasswd -nb user password
          - 'user:$apr1$WI9.6Com$LO5VAdzJue4x374o71Ncr1'
	OAUTH2_PROXY_CLIENT_ID=
	OAUTH2_PROXY_CLIENT_SECRET=
	OAUTH2_PROXY_COOKIE_SECRET=
	version: '3.6'
	services:
	whoami:
	image: containous/whoami
	labels:
	- traefik.enable=true
	- traefik.http.services.whoami.loadbalancer.server.port=80
	- traefik.http.routers.whoami_https.entrypoints=https
	- traefik.http.routers.whoami_https.rule=Host(`whoami.example.com`)
	- traefik.http.routers.whoami_https.tls.certResolver=letsencrypt
	- traefik.http.routers.whoami_https.middlewares=authproxy_signin,authproxy_verify
	#- traefik.http.routers.whoami_https.tls.domains[0].main=example.com
	#- traefik.http.routers.whoami_https.tls.domains[0].sans=*.example.com
	- traefik.http.routers.whoami_http.entrypoints=http
	- traefik.http.routers.whoami_http.middlewares=enforce-https@file
	- traefik.http.routers.whoami_http.rule=Host(`whoami.example.com`)
	authproxy:
	image: quay.io/pusher/oauth2_proxy
	command:
	- --http-address=0.0.0.0:4180
	- --provider=github
	- --email-domain=*
	- --set-xauthrequest
	- --cookie-expire=672h
	- --cookie-refresh=1h
	- --cookie-secure=true
	- --cookie-httponly=true
	- --request-logging=false
	labels:
	- traefik.enable=true
	- traefik.http.services.authproxy.loadbalancer.server.port=4180
	- traefik.http.middlewares.authproxy_verify.forwardAuth.address=http://authproxy:4180/oauth2/auth
	- traefik.http.middlewares.authproxy_verify.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email
	- traefik.http.middlewares.authproxy_signin.errors.status=401
	- traefik.http.middlewares.authproxy_signin.errors.service=authproxy@docker
	- traefik.http.middlewares.authproxy_signin.errors.query=/oauth2/sign_in
	- traefik.http.routers.authproxy_https.entrypoints=https
	- traefik.http.routers.authproxy_https.rule=Host(`whoami-authproxy.example.com`) \|\| PathPrefix(`/oauth2`)
	- traefik.http.routers.authproxy_https.tls.certResolver=letsencrypt
	#- traefik.http.routers.authproxy_https.tls.domains[0].main=example.com
	#- traefik.http.routers.authproxy_https.tls.domains[0].sans=*.example.com
	env_file:
	- ./authproxy.env
	traefik:
	image: traefik:v2.0
	volumes:
	- ./traefik.yaml:/etc/traefik/traefik.yaml:Z
	- ./traefik_file.yaml:/etc/traefik/conf.d/traefik.yaml:Z
	- ./traefik_var:/var/traefik:Z
	- /var/run/docker.sock:/var/run/docker.sock:ro
	ports:
	- 80:80
	- 443:443
	command:
	- --configFile=/etc/traefik/traefik.toml
	env_file:
	- ./traefik.env
	labels:
	- traefik.enable=true
	- traefik.http.routers.traefik_https.service=api@internal
	- traefik.http.routers.traefik_https.entrypoints=https
	- traefik.http.routers.traefik_https.rule=Host(`whoami-traefik.example.com`)
	- traefik.http.routers.traefik_https.tls.certResolver=letsencrypt
	#- traefik.http.routers.traefik_https.tls.domains[0].main=example.com
	#- traefik.http.routers.traefik_https.tls.domains[0].sans=*.example.com
	- traefik.http.routers.traefik_http.service=api@internal
	- traefik.http.routers.traefik_http.entrypoints=http
	- traefik.http.routers.traefik_http.middlewares=enforce-https@file
	- traefik.http.routers.traefik_http.rule=Host(`whoami-traefik.example.com`)
	.PHONY: all

	traefik.mod:
	checkmodule -M -m -o traefik.mod traefik.te

	traefik.pp:
	semodule_package -o traefik.pp -m traefik.mod

	install:
	sudo semodule -i traefik.pp

	remove:
	sudo semodule -r traefik

	all: traefik.mod traefik.pp install
	module traefik 1.0;

	require {
	type container_t;
	type container_runtime_t;
	class unix_stream_socket connectto;
	}

	#============= container_t ==============
	allow container_t container_runtime_t:unix_stream_socket connectto;
	entryPoints:
	http:
	address: ":80"
	https:
	address: ":443"
	providers:
	docker:
	exposedByDefault: false
	file:
	directory: /etc/traefik/conf.d
	api:
	insecure: true
	dashboard: true
	certificatesResolvers:
	letsencrypt:
	acme:
	caServer: https://acme-staging-v02.api.letsencrypt.org/directory
	email: letsencrypt@example.com
	storage: /var/traefik/acme.json
	dnsChallenge:
	provider: cloudflare
	delayBeforeCheck: 10
	resolvers:
	- "[2606:4700:4700::1111]:53"
	- "[2606:4700:4700::1001]:53"
	- "1.1.1.1:53"
	- "1.0.0.1:53"
	log:
	level: DEBUG
	http:
	middlewares:
	enforce-https:
	redirectScheme:
	scheme: https
	permanent: true
	authentication:
	basicAuth:
	users:
	# htpasswd -nb user password
	- 'user:$apr1$WI9.6Com$LO5VAdzJue4x374o71Ncr1'