ddimick
commented
4 years ago @Gibletron I noticed you defined org-coadmin as the middleware but reference org-admin@file in the container's config.
Closed calmcacil closed 4 years ago
ddimick
commented
4 years ago @Gibletron I noticed you defined org-coadmin as the middleware but reference org-admin@file in the container's config.
Gibletron
commented
4 years ago @ddimick
That is correct, I have three the same middlewares for org-coadmin org-admin and org-user That way I can have granular control over who can access what
StudioEtrange
commented
4 years ago @a-nunes Did you manage to find a way ?
What I'm trying to do is use it just as a Auth layer... if someone goes to subdomain, redirects to main domain to authenticate, after auth -> redirects again to subdomain, instead of join on Organizr main page.
StudioEtrange
commented
3 years ago For the record in traefik2
First steps
docker-compose with
organizr2:
image: organizr/organizr
labels:
- "${TANGO_INSTANCE_NAME}.managed=true"
- "traefik.enable=true"
# auth middlewares
- "traefik.http.middlewares.myauth.address=https://organizr2.domain.com:443/api/?v1/auth&group=1"
- "traefik.http.middlewares.myauth.forwardauth.tls.insecureSkipVerify=true"
- "traefik.http.middlewares.myauth.forwardauth.trustforwardheader=true"
# service
- "traefik.http.services.organizr2.loadbalancer.server.port=80"
- "traefik.http.services.organizr2.loadbalancer.server.scheme=http"
- "traefik.http.services.organizr2.loadbalancer.passhostheader=true"
# routers
- "traefik.http.routers.organizr2-secure.entrypoints=web_main_secure"
- "traefik.http.routers.organizr2-secure.rule=HostRegexp(`{subdomain:organizr2.}{domain:domain.com}`)"
- "traefik.http.routers.organizr2-secure.priority=50"
- "traefik.http.routers.organizr2-secure.service=organizr2"
- "traefik.http.routers.organizr2-secure.tls=true"
- "traefik.http.routers.organizr2-secure.tls.domains[0].main=organizr2.domain.com"
# routers middleware
- "traefik.http.routers.organizr2-secure.middlewares=error-middleware"
# SPECIAL tip to make organizr plex SSO work : have another way to access plex as a subfolder of organizr2 dns name
- "traefik.http.middlewares.organizr2-plex-stripprefix.stripprefix.prefixes=/plex, /plex/"
- "traefik.http.routers.organizr2-plex-secure.entrypoints=web_main_secure"
- "traefik.http.routers.organizr2-plex-secure.rule=HostRegexp(`{subdomain:organizr2.}}{domain:domain.com}`) && (PathPrefix(`/plex`) || PathPrefix(`/web`))"
- "traefik.http.routers.organizr2-plex-secure.priority=100"
- "traefik.http.routers.organizr2-plex-secure.service=plex"
- "traefik.http.routers.organizr2-plex-secure.tls=true"
- "traefik.http.routers.organizr2-plex-secure.tls.domains[0].main=organizr2.domain.com"
# add myauth to authorize access to these url http://organizr2.domain.com/plex http://organizr2.domain.com/web only after logged into organizr
- "traefik.http.routers.organizr2-plex.middlewares=organizr2-plex-stripprefix,myauth"
- "traefik.http.routers.organizr2-plex-secure.middlewares=organizr2-plex-stripprefix,myauth"
# NOTE : do not activate error-middleware, if so plex service cannot ask for authentification
networks:
- default
expose:
- 80
sabnzbd:
image: studioetrange/docker-sabnzbd:${SABNZBD_VERSION:-latest}
restart: unless-stopped
labels:
- "traefik.enable=true"
# service
- "traefik.http.services.sabnzbd.loadbalancer.server.port=8080"
- "traefik.http.services.sabnzbd.loadbalancer.server.scheme=http"
- "traefik.http.services.sabnzbd.loadbalancer.passhostheader=true"
# routers
- "traefik.http.routers.sabnzbd-secure.entrypoints=web_main_secure"
- "traefik.http.routers.sabnzbd-secure.rule=HostRegexp(`{subdomain:sabnzbd.}{domain:domain.com}`)
- "traefik.http.routers.sabnzbd-secure.service=sabnzbd"
- "traefik.http.routers.sabnzbd-secure.tls=true"
- "traefik.http.routers.sabnzbd-secure.tls.domains[0].main=sabnzbd.domain.com"
# routers middleware
- "traefik.http.routers.sabnzbd.middlewares=myauth,error-middleware"
- "traefik.http.routers.sabnzbd-secure.middlewares=myauth,error-middleware"
networks:
- default
expose:
- 8080
# HTTPS port
- 8081
build:
context: https://github.com/StudioEtrange/docker-sabnzbd.git#:ver/${SABNZBD_VERSION:-latest} plex:
image: plexinc/pms-docker:${PLEX_VERSION:-latest}
....
labels:
- "traefik.enable=true"
# service
- "traefik.http.services.plex.loadbalancer.server.port=32400"
- "traefik.http.services.plex.loadbalancer.server.scheme=http"
- "traefik.http.services.plex.loadbalancer.passhostheader=true"
# routers
- "traefik.http.routers.plex-secure.entrypoints=web_main_secure"
- "traefik.http.routers.plex-secure.rule=HostRegexp(`{subdomain:plex.}{domain:domain.com`)"
- "traefik.http.routers.plex-secure.service=plex"
- "traefik.http.routers.plex-secure.tls=true"
- "traefik.http.routers.plex-secure.tls.domains[0].main=plex.domain.com"
networks:
- default
expose:
- 32400/tcp
Organizr Version: V2 Official Docker
Branch: Master
WebServer: nginx
Operating System: Debian10/docker
Problem Description:
Its not as much a problem as it is a request for tweaks. Currently if you try to access any of your containers behind treafik forward auth using organizr as the api (as per the documentation) you will be meet with a 401 error if you are not logged in, which is fine but I was wondering if we could have a way to redirect it in case of a 401 error to the login page instead of just showing a flat error. This is the behavior using traefik-forward-auth would have, and it would be nice to have for organizr as a server auth provider as well. Potentially by simply being able to add ?loginredirect=loginurl at the end of the case of a 401 error for said page.
Reproduction Steps:
Access any traefik enabled container with organizr api as the auth provider without being logged in.