Add Traefik-Forward-Auth Proxy

coreos-config/compose/00_traefik/docker-compose.yaml

@@ -12,6 +12,7 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:z"
       - "./traefik.yaml:/etc/traefik/traefik.yaml:Z,ro"
+      - "./dynamic.yaml:/etc/traefik/dynamic.yaml:Z,ro"
       - "acme:/acme"
     networks:
       - gateway
@@ -19,6 +20,34 @@ services:
     environment:
       CLOUDFLARE_DNS_API_TOKEN: "{{ traefik.CLOUDFLARE_DNS_API_TOKEN }}"
 
+  traefik-fa:
+    image: thomseddon/traefik-forward-auth:latest
+    volumes:
+      - ./traefik-fa.ini:/forward.ini:ro,Z
+    environment:
+      - CONFIG=/forward.ini
+    networks:
+      - gateway
+    depends_on:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-fa.rule=Host(`traefik-fa.tobiasmanske.de`)"
+      - "traefik.http.routers.traefik-fa.entryPoints=websecure"
+      - "traefik.http.services.traefik-fa.loadbalancer.server.port=4181"
+      - "traefik.http.routers.traefik-fa.middlewares=sso@file"
+
+  # whoami:
+  #   image: containous/whoami
+  #   networks:
+  #     - gateway
+  #   labels:
+  #     - "traefik.enable=true"
+  #     - "traefik.http.services.whoami.loadbalancer.server.port=80"
+  #     - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
+  #     - "traefik.http.routers.whoami.entryPoints=websecure"
+  #     - "traefik.http.routers.whoami.middlewares=sso@file"
+
 volumes:
   acme:
 

coreos-config/compose/00_traefik/dynamic.yaml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    sso:
+      forwardAuth:
+        address: http://traefik-fa:4181
+        authResponseHeaders:
+          - X-Forwarded-User

coreos-config/compose/00_traefik/traefik-fa.ini

@@ -0,0 +1,20 @@
+default-provider = oidc
+
+# Cookie signing nonce, replace this with something random
+secret = {{ traefik.oidc.cookie_secret }}
+
+# This client id / secret is defined in keycloak-realm-config/master-realm.json
+providers.oidc.client-id = {{ traefik.oidc.client_id }}
+providers.oidc.client-secret = {{ traefik.oidc.client_secret }}
+providers.oidc.issuer-url = {{ traefik.oidc.issuer_url }}
+
+log-level = error
+
+cookie-domain = tobiasmanske.de
+auth-host = traefik-fa.tobiasmanske.de
+
+# Add authorized users here
+{% for user in traefik.oidc.whitelist %}
+whitelist = {{ user }}
+{% endfor %}
+

coreos-config/compose/00_traefik/traefik.yaml

@@ -4,6 +4,8 @@ providers:
   docker:
     network: gateway
     exposedbydefault: false
+  file:
+    filename: /etc/traefik/dynamic.yaml
 entryPoints:
   web:
     address: ":80"