Skip to content

Instantly share code, notes, and snippets.

@j18e
Created April 6, 2020 11:02
Show Gist options
  • Save j18e/9452a4fd9754f371213f2d97e9cb54cf to your computer and use it in GitHub Desktop.
Save j18e/9452a4fd9754f371213f2d97e9cb54cf to your computer and use it in GitHub Desktop.
Traefik Forward Auth
http:
routers:
# http_catchall redirects all incoming traffic from http to https
http_catchall:
entrypoints:
- "http"
middlewares:
- "https_redirect"
rule: "HostRegexp(`{any:.+}`)"
service: "noop"
services:
# noop will never be called, but is needed by the http_catchall router
noop: {loadBalancer: {servers: [url: "http://10.0.0.1"]}}
unifi:
loadBalancer:
servers:
- url: "https://10.0.0.1"
middlewares:
https_redirect:
redirectScheme:
scheme: "https"
permanent: true
forward-auth:
forwardAuth:
address: "http://traefik-fa:4181" # this sends forward-auth requests to our traefik-fa container
tls:
options:
default:
minVersion: "VersionTLS12"
cipherSuites:
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
version: '3'
services:
traefik:
restart: always
image: "traefik:v2.1"
command:
- "--configfile=/config/static.yml"
volumes:
- "./traefik-static.yml:/config/static.yml"
- "./traefik-dynamic.yml:/config/dynamic.yml"
- "/var/run/docker.sock:/var/run/docker.sock"
expose:
- "8080"
ports:
- "80:80"
- "443:443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.middlewares=forward-auth@file"
traefik-fa:
restart: always
image: "thomseddon/traefik-forward-auth:2"
command:
- "--whitelist=myemail@gmail.com" # whitelist can be set multiple times
- "--whitelist=youremail@gmail.com"
environment:
LOG_LEVEL: "info"
AUTH_HOST: "auth.mydomain.com"
COOKIE_DOMAIN: "mydomain.com"
SECRET: "somerandomnonce"
PROVIDERS_GOOGLE_CLIENT_ID: "yourclientid"
PROVIDERS_GOOGLE_CLIENT_SECRET: "yourclientsecret"
expose: ["4181"]
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-fa.rule=Host(`auth.mydomain.com`)"
- "traefik.http.routers.traefik-fa.tls.certresolver=le"
- "traefik.http.routers.traefik-fa.middlewares=forward-auth@file"
# grafana is the app that we'll protect with forward-auth. Only Google
# accounts in traefik-fa's whitelist will be able to reach this site.
grafana:
restart: always
image: grafana/grafana:6.5.3
environment:
GF_SERVER_ROOT_URL: "https://grafana.mydomain.com"
GF_SECURITY_ADMIN_PASSWORD: "somepassword"
GF_AUTH_ANONYMOUS_ENABLED: "true"
GF_AUTH_ANONYMOUS_ORG_NAME: "Main Org."
GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
expose: ["3000"]
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.mydomain.com`)"
- "traefik.http.routers.grafana.tls.certresolver=le"
- "traefik.http.routers.grafana.middlewares=forward-auth@file"
entryPoints:
http:
address: ":80"
https:
address: ":443"
traefik:
address: ":8080"
providers:
file:
filename: "/config/dynamic.yml"
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
le:
acme:
email: "myemail@gmail.com"
storage: "/data/acme.json" # this file should be persistently mounted
httpChallenge:
entryPoint: "http"
api:
dashboard: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment