Traefik Forward Auth

traefik-dynamic.yml

http:
  routers:
    # http_catchall redirects all incoming traffic from http to https
    http_catchall:
      entrypoints:
      - "http"
      middlewares:
      - "https_redirect"
      rule: "HostRegexp(`{any:.+}`)"
      service: "noop"

  services:
    # noop will never be called, but is needed by the http_catchall router
    noop: {loadBalancer: {servers: [url: "http://10.0.0.1"]}}
    unifi:
      loadBalancer:
        servers:
        - url: "https://10.0.0.1"

  middlewares:
    https_redirect:
      redirectScheme:
        scheme: "https"
        permanent: true
    forward-auth:
      forwardAuth:
        address: "http://traefik-fa:4181" # this sends forward-auth requests to our traefik-fa container

tls:
  options:
    default:
      minVersion: "VersionTLS12"
      cipherSuites:
      - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
      - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
      - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

traefik-forward-auth-compose.yml

version: '3'
services:
  traefik:
    restart: always
    image: "traefik:v2.1"
    command:
    - "--configfile=/config/static.yml"
    volumes:
    - "./traefik-static.yml:/config/static.yml"
    - "./traefik-dynamic.yml:/config/dynamic.yml"
    - "/var/run/docker.sock:/var/run/docker.sock"
    expose:
    - "8080"
    ports:
    - "80:80"
    - "443:443"
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.traefik.service=api@internal"
    - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
    - "traefik.http.routers.traefik.tls.certresolver=le"
    - "traefik.http.routers.traefik.middlewares=forward-auth@file"

  traefik-fa:
    restart: always
    image: "thomseddon/traefik-forward-auth:2"
    command:
    - "--whitelist=myemail@gmail.com" # whitelist can be set multiple times
    - "--whitelist=youremail@gmail.com"
    environment:
      LOG_LEVEL: "info"
      AUTH_HOST: "auth.mydomain.com"
      COOKIE_DOMAIN: "mydomain.com"
      SECRET: "somerandomnonce"
      PROVIDERS_GOOGLE_CLIENT_ID: "yourclientid"
      PROVIDERS_GOOGLE_CLIENT_SECRET: "yourclientsecret"
    expose: ["4181"]
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.traefik-fa.rule=Host(`auth.mydomain.com`)"
    - "traefik.http.routers.traefik-fa.tls.certresolver=le"
    - "traefik.http.routers.traefik-fa.middlewares=forward-auth@file"

  # grafana is the app that we'll protect with forward-auth. Only Google
  # accounts in traefik-fa's whitelist will be able to reach this site.
  grafana:
    restart: always
    image: grafana/grafana:6.5.3
    environment:
      GF_SERVER_ROOT_URL: "https://grafana.mydomain.com"
      GF_SECURITY_ADMIN_PASSWORD: "somepassword"
      GF_AUTH_ANONYMOUS_ENABLED: "true"
      GF_AUTH_ANONYMOUS_ORG_NAME: "Main Org."
      GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
    expose: ["3000"]
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.grafana.rule=Host(`grafana.mydomain.com`)"
    - "traefik.http.routers.grafana.tls.certresolver=le"
    - "traefik.http.routers.grafana.middlewares=forward-auth@file"

traefik-static.yml

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
  traefik:
    address: ":8080"

providers:
  file:
    filename: "/config/dynamic.yml"
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  le:
    acme:
      email: "myemail@gmail.com"
      storage: "/data/acme.json" # this file should be persistently mounted
      httpChallenge:
        entryPoint: "http"

api:
  dashboard: true