jonwilliams84
commented
4 years ago Worked it out after a couple of hours. I was missing the forward auth labels on the forward auth service itself.
Here is my working config in case anyone else has the issue.
This uses LE for certs, a servers.toml for services outside of swarm (e.g. emby), and AUTH_HOST for a single domain level auth for all services, that can be selectively used based on presence of "traefik.http.routers.whoami.middlewares=traefik-forward-auth" label on the services you wish to put behind forward-auth.
version: "3.7"
services:
traefik:
image: traefik:latest
command:
- "--providers.docker=true"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.https.address=:443"
- "--entrypoints.http.address=:80"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=http"
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
- "--providers.docker.swarmmode"
- "--providers.file.filename=/static/servers2.toml"
- "--serversTransport.insecureSkipVerify=true"
- "--log=true"
- "--log.level=ERROR"
- "--accessLog=true"
- "--accessLog.filePath=/access.log"
- "--accessLog.bufferingSize=100 # Configuring a buffer of 100 lines"
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/data/traefik-2/letsencrypt:/letsencrypt
- /var/data/config/traefik-app/servers2.toml:/static/servers2.toml
- /var/log/traefik/traefik.log:/traefik.log:rw
- /var/log/traefik/access.log:/access.log:rw
networks:
- traefik_public
deploy:
labels:
- "traefik.enable=false"
mode: global
placement:
constraints: [node.role == manager]
restart_policy:
condition: on-failure
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
# env_file: ./traefik-forward-auth.env.
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=###################
- PROVIDERS_GOOGLE_CLIENT_SECRET=################
- SECRET=################
- INSECURE_COOKIE=false
- COOKIE_DOMAIN=domain.com
- AUTH_HOST=auth.domain.com
command:
- "--log-level=error"
- "--whitelist=user1@gmail.com"
- "--whitelist=user2@gmail.com"
deploy:
labels:
- "traefik.http.routers.forwardauth.rule=Host(`auth.domain.com`)"
- "traefik.http.routers.forwardauth.tls.certresolver=myhttpchallenge"
- "traefik.http.routers.forwardauth.tls=true" #Don't believe this is actually required
- "traefik.http.routers.forwardauth.middlewares=traefik-forward-auth"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
networks:
- traefik_public
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.com`)"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.tls=true" #Don't believe this is actually required
- "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
replicas: 1
networks:
traefik_public:
external: trueHope this helps as I spent a good couple of hours scratching my noggin investigating a endless loop on auth. :-)
thomseddon
Hi,
Do you have any examples with HTTPS Acme providers (Let's Encrypt)?
I have a kind of working config, but not sure it's fully correct as I end up with a Router for HTTP and Router for HTTPS for each service.
Here is what my dashboard looks like: