Running Grist with traefik-forward-auth

docker-compose.yml

# You need to set PROVIDERS_GOOGLE_CLIENT_ID, PROVIDERS_GOOGLE_CLIENT_SECRET,
# and to set DOMAIN and EMAIL in environment
# (e.g. DOMAIN=selfhosted.example.com EMAIL=example@getgrist.com docker compose up)
# The EMAIL will be used in a letsencrypt certificate, and will be the only user able to log in initially.

version: '3'

services:
  reverse-proxy:
    # Use Traefik for routing and certificate handling.
    image: traefik:v2.6
    command:
      - --providers.docker
      - --certificatesResolvers.letsencrypt.acme.email=${EMAIL}
      - --certificatesResolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesResolvers.letsencrypt.acme.tlschallenge=true
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # You may want to put state somewhere other than /tmp :-)
      - /tmp/grist/acme:/acme
      # Traefik needs docker access when configured via docker labels.
      - /var/run/docker.sock:/var/run/docker.sock

  traefik-forward-auth:
    # Authentication middleware.
    # See https://github.com/thomseddon/traefik-forward-auth for
    # options for configuring it.
    image: thomseddon/traefik-forward-auth:2
    environment:
      PROVIDERS_GOOGLE_CLIENT_ID: XXXXXX.apps.googleusercontent.com
      PROVIDERS_GOOGLE_CLIENT_SECRET: XXXXXXX
      SECRET: something-random
      LOGOUT_REDIRECT: "https://${DOMAIN}/signed-out"
    labels:
      traefik.http.services.traefik-forward-auth.loadbalancer.server.port: 4181
      traefik.http.middlewares.traefik-forward-auth.forwardauth.address: "http://traefik-forward-auth:4181"
      traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders: "X-Forwarded-User"

  grist:
    image: paulfitz/grist  # currently need a fork, support should be in gristlabs/grist soon all going well
    environment:
      GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User
      GRIST_FORWARD_AUTH_LOGOUT_PATH: _oauth/logout
      GRIST_SINGLE_ORG: grist
      GRIST_DEFAULT_EMAIL: ${EMAIL}
      APP_HOME_URL: https://${DOMAIN}
    ports:
      - "8484:8484"
    volumes:
      # You may want to put state somewhere other than /tmp :-)
      - /tmp/grist/data:/persist
    labels:
      traefik.http.services.grist.loadbalancer.server.port: 8484

      # When logging in, use traefik-forward-auth middleware.
      traefik.http.routers.login.rule: Host(`${DOMAIN}`) && PathPrefix(`/auth/login`)
      traefik.http.routers.login.middlewares: traefik-forward-auth
      traefik.http.routers.login.service: grist
      # Comment out each line with "letsencypt" in it if your domain is not publically
      # accessible and you want to use a self-signed certificate.
      traefik.http.routers.login.tls.certresolver: letsencrypt

      # traefik-forward-auth middleware itself has some internal endpoints.
      traefik.http.routers.auth.rule: Host(`${DOMAIN}`) && PathPrefix(`/_oauth`)
      traefik.http.routers.auth.middlewares: traefik-forward-auth
      traefik.http.routers.auth.service: grist
      traefik.http.routers.auth.tls.certresolver: letsencrypt

      # Otherwise, the middleware is not needed and would prevent
      # public shares. Grist will redirect to login when needed.
      traefik.http.routers.general.rule: Host(`${DOMAIN}`)
      traefik.http.routers.general.service: grist
      traefik.http.routers.general.tls.certresolver: letsencrypt