Quick facts:
- docker-compose stack
- selinux policy included (see
traefik.te
andMakefile
) - Traefik v2.0
- GitHub login provider
- Let's Encrypt (staging) certificate provider
- ACME dns-01 challenge through Cloudflare
Some things are weird because I had to work-around Traefik bugs/inconveniences.
For example, I had to enable Traefik for the oauth2proxy container and specify a Host()
rule,
otherwise it wouldn't work.
(That's why there is a Host()
and a Path()
rule for the oauth2proxy container,
the Path()
rule is the one that is actually being used.)
Also if you want to use wildcard certificates, you'll have to configure the certificate for one container, restart the container, let Traefik fetch the certificate, configure the wildcard certificate for all containers, and restart the whole stack. If you don't do it like this Traefik will attempt to retrieve one wildcard certificate per container. One process will clear the ACME challenge set by another process (they all run simultaneously) and this will cause all processes/challenges to fail.
Oh, and there is a bug. People get logged out, usually after a few minutes. At some point the server sends a response that clears the oauth2proxy cookie. I could not yet figure out why. Cookie refresh time is set to 1 hour, expire time is set to 4 weeks. Please let me know if you fix it.
Feel free to comment if you have any question.
@tlex Thanks for letting me know!