Switch to oauth2-proxy

coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml

@@ -21,22 +21,47 @@ services:
 
 {% if deploy_traefik_fa %}
   traefik-fa:
-    image: thomseddon/traefik-forward-auth:latest
-    restart: always
-    volumes:
-      - ./traefik-fa.ini:/forward.ini:ro,Z
-    environment:
-      - CONFIG=/forward.ini
+    image: quay.io/oauth2-proxy/oauth2-proxy:latest
+    restart: unless-stopped
     networks:
       - gateway
     depends_on:
       - traefik
+    labels:
+      traefik.enable: 'true'
+      traefik.http.routers.oauth.entrypoints: websecure
+      traefik.http.routers.oauth.rule: Host(`traefik-fa.tobiasmanske.de`) || PathPrefix(`/oauth2`)
+      traefik.http.services.oauth.loadbalancer.server.port: '4180'
+    environment:
+      OAUTH2_PROXY_PROVIDER: 'keycloak-oidc'
+      OAUTH2_PROXY_CLIENT_ID: '{{ traefik.oidc.client_id }}'
+      OAUTH2_PROXY_CLIENT_SECRET: '{{ traefik.oidc.client_secret }}'
+      OAUTH2_PROXY_OIDC_ISSUER_URL: '{{ traefik.oidc.issuer_url }}'
+      OAUTH2_PROXY_COOKIE_DOMAIN: '.tobiasmanske.de'
+      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
+      OAUTH2_PROXY_COOKIE_SECURE: 'true'
+      OAUTH2_PROXY_COOKIE_SECRET: '{{ traefik.oidc.cookie_secret }}'
+      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
+      OAUTH2_PROXY_FOOTER: '-'
+      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
+      OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
+      OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
+      OAUTH2_PROXY_REVERSE_PROXY: 'true'
+      OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
+      OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
+      OAUTH2_PROXY_WHITELIST_DOMAIN: '.tobiasmanske.de'
+      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: 'true'
+
+  whoami:
+    image: containous/whoami
+    networks:
+      - gateway
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.traefik-fa.rule=Host(`traefik-fa.tobiasmanske.de`)"
-      - "traefik.http.routers.traefik-fa.entryPoints=websecure"
-      - "traefik.http.services.traefik-fa.loadbalancer.server.port=4181"
-      - "traefik.http.routers.traefik-fa.middlewares=sso@file"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
+      - "traefik.http.routers.whoami.entryPoints=websecure"
+      - "traefik.http.routers.whoami.middlewares=oauth@file"
 
 {% endif %}
 

coreos-config/roles/compose_project/templates/traefik/dynamic.yaml

@@ -1,7 +1,28 @@
 http:
   middlewares:
-    sso:
+    auth-headers:
+      headers:
+        sslRedirect: true
+        stsSeconds: 315360000
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        sslHost: tobiasmanske.de
+        stsIncludeSubdomains: true
+        stsPreload: true
+        frameDeny: true
+    oauth-auth:
       forwardAuth:
-        address: http://traefik-fa:4181
-        authResponseHeaders:
-          - X-Forwarded-User
+        address: https://traefik-fa.tobiasmanske.de/oauth2/auth
+        trustForwardHeader: true
+    oauth-errors:
+      errors:
+        status:
+          - "401-403"
+        service: oauth@docker
+        query: "/oauth2/sign_in"
+    oauth:
+      chain:
+        middlewares:
+          - oauth-errors
+          - oauth-auth

coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini

@@ -1,22 +0,0 @@
-{% if with_fa|default(false) %}
-default-provider = oidc
-
-# Cookie signing nonce, replace this with something random
-secret = {{ traefik.oidc.cookie_secret }}
-
-# This client id / secret is defined in keycloak-realm-config/master-realm.json
-providers.oidc.client-id = {{ traefik.oidc.client_id }}
-providers.oidc.client-secret = {{ traefik.oidc.client_secret }}
-providers.oidc.issuer-url = {{ traefik.oidc.issuer_url }}
-
-log-level = error
-
-cookie-domain = tobiasmanske.de
-auth-host = traefik-fa.tobiasmanske.de
-
-# Add authorized users here
-{% for user in traefik.oidc.whitelist %}
-whitelist = {{ user }}
-{% endfor %}
-
-{% endif %}