search

mesosphere / traefik-forward-auth

219 stars 47 forks source link

Need of working docker-compose please #1

Closed vincentbenzo closed 4 years ago

vincentbenzo commented 5 years ago

First of all, thank you for your work !

I'm very interested in using your fork with keycloak as an OIDC, unfortunately I can't make it work. If you could give a working example of docker-compose with all the environment variables necessary to make it work, it would be a real bonus. At the moment I think it is still the docker-compose files from thomseddon with unsupported specific google option like providers.google.client-id

Thank you !

AlbinoDrought commented 5 years ago

Hey, I was in the same spot.

I was previously using thomseddon/traefik-forward-auth with GSuite in Auth Host mode but wanted to move to an on-site setup. I ended up following along with config.go directly.

I ended up with this as a drop-in replacement for my previous thomseddon/traefik-forward-auth config:

  auth-meso:
    image: mesosphere/traefik-forward-auth:1.0.4
    environment:
      # Secret used for signing (required)
      SECRET: pancakes
      # OpenID Connect config:
      PROVIDER_URI: http://auth-hydra.test.localhost/
      CLIENT_ID: auth-code-client
      CLIENT_SECRET: secret
      # We are in `Auth Host` mode.
      # This instance will be available at auth-meso.test.localhost:
      AUTH_HOST: auth-meso.test.localhost
      # All of our services are under the domain test.localhost, so that is our cookie domain:
      COOKIE_DOMAIN: test.localhost
      # We only have HTTP enabled, so insecure cookies must be enabled for cookies to persist:
      INSECURE_COOKIE: 'true'
    restart: on-failure
    labels:
      traefik.enable: 'true'
      # the forward-auth middleware is registered here:
      # (note: it uses a route to this service that DOES NOT use the forward-auth middleware)
      traefik.http.middlewares.forward-auth.forwardauth.address: 'http://auth-meso:4181/'
      traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders: 'X-Forwarded-User'
      traefik.http.services.auth-meso.loadbalancer.server.port: '4181'
      # here is our routable auth-meso.test.localhost Auth Host
      # (note: it uses the forward-auth middleware)
      traefik.http.routers.auth-meso.rule: 'Host(`auth-meso.test.localhost`)'
      traefik.http.routers.auth-meso.middlewares: 'forward-auth'

Whipped together a tiny demo over here: https://github.com/AlbinoDrought/creamy-home-auth-provider/tree/master/examples/forward-auth

vincentbenzo commented 5 years ago

Hello !

Thank you very much for your message, I'm going to test it as soon as I can ! Just I am not sure to quite understand what is happening under the hood... Everything seems logical to me, except the : traefik.http.middlewares.forward-auth.forwardauth.address: 'http://auth-meso:4181/' How does this work ? auth-meso is never defined in a Host rule, or is possible because it matches the name of the service so docker does some internal resolution ?

Thanks again for taking the time !

dafanasiev commented 4 years ago

How does this work ? auth-meso is never defined in a Host rule, or is possible because it matches the name of the service so docker does some internal resolution ?

Yes, this is docker networking - https://docs.docker.com/config/containers/container-networking/

EXAMPLE. Keycloak: https://sso.mycompany.net/ client: git

Keycloak settings (in admin web ui - https://sso.mycompany.net/): 1) add client (this is you client name - in my sample - git) to some realm (my_super_realm) 2) set Access Type = confidential 3) grab client secret from credentials tab 4) setup ClientScopes tab - add profile to Assigned Optional Client Scopes list. I also remove email from default and add it to optional list. 5) add http://git.localhost/_oauth to Valid Redirect URIs

docker-compose:

version: '3'

services:
  traefik:
    image: traefik:v2.1
    environment:
      # show hits in stdout for debugging:
      TRAEFIK_ACCESSLOG: 'true'
      # enable dashboard for debugging on 8080:
      TRAEFIK_API: 'true'
      TRAEFIK_API_INSECURE: 'true'
      # route to things from docker:
      TRAEFIK_PROVIDERS_DOCKER: 'true'
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'false'
      # but only if they have the label 'traefik.environment=localhost':
      TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS: 'Label(`traefik.environment`, `localhost`)'
      # expose :80 as the "web" endpoint:
      TRAEFIK_ENTRYPOINTS_WEB: 'true'
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: :80
    ports:
      - "80:80"
      - "8080:8080"
    networks:
      web:
        aliases:
          # these aliases are hacks so we can route the *.localhost domains from inside the containers:
          - auth.localhost
          - git.localhost
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - git-auth

  git-auth:
    image: mesosphere/traefik-forward-auth:1.0.4
    environment:
      # Secret used for signing (required)
      SECRET: pancakes
      # OpenID Connect config:
      PROVIDER_URI: https://sso.mycompany.net/auth/realms/my_super_realm
      CLIENT_ID: git
      CLIENT_SECRET: xxxxxxxxxx
      # We are in `Auth Host` mode.
      # This instance will be available at auth.localhost:
      AUTH_HOST: git.localhost
      # All of our services are under the domain localhost, so that is our cookie domain:
      COOKIE_DOMAIN: git.localhost
      # We only have HTTP enabled, so insecure cookies must be enabled for cookies to persist:
      INSECURE_COOKIE: 'true'
      LOG_LEVEL: debug
      CSRF_COOKIE_NAME: '_forward_auth_csrf'
    restart: on-failure

    networks:
      - web
    labels:
      traefik.enable: 'true'
      traefik.environment: 'localhost'
      # the forward-auth middleware is registered here:
      # (note: it uses a route to this service that DOES NOT use the forward-auth middleware)
      traefik.http.middlewares.forward-auth.forwardauth.address: 'http://git-auth:4181/'
      traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders: 'X-Forwarded-User'
      traefik.http.services.auth.loadbalancer.server.port: '4181'
      # here is our routable auth.localhost Auth Host
      # (note: it uses the forward-auth middleware)
      traefik.http.routers.auth.rule: 'Host(`git-auth.localhost`)'
      traefik.http.routers.auth.middlewares: 'forward-auth'

  git:
    image: mendhak/http-https-echo
    networks:
      - web
    labels:
      traefik.enable: 'true'
      traefik.environment: 'localhost'
      traefik.http.services.git.loadbalancer.server.port: '80'
      traefik.http.routers.git.rule: 'Host(`git.localhost`)'
      traefik.http.routers.git.middlewares: 'forward-auth'

networks:
  web:

And now you can navigate http://git.localhost and see "some redirect magic" (OpenId connect code flow)...

jr0d commented 4 years ago

I don't really have the cycles to work on this, but it looks like @dafanasiev and @AlbinoDrought have provided you with enough to get by on. If you've arrived at an acceptable solution, please feel free to submit a patch.