thomseddon
commented
5 years ago No problem, it should mostly be "automatic" but if something has gone wrong it could be an opportunity to improve documentation, could you post your config?
Closed Svarto closed 5 years ago
thomseddon
commented
5 years ago No problem, it should mostly be "automatic" but if something has gone wrong it could be an opportunity to improve documentation, could you post your config?
Svarto
commented
5 years ago certainly!
traefik.toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://172.19.0.7:4181" #ip to traefik-forward-auth docker
authResponseHeaders = ["X-Forwarded-User"]
[frontends.frontend1]
backend = "backend2"
passHostHeader = true
[frontends.frontend1.headers]
HostsProxyHeaders = ["X-Forwarded-Hosts"]
SSLRedirect = true
FrameDeny = true
STSSeconds = 315360000
STSIncludeSubdomains = true
ContentTypeNosniff = true
BrowserXssFilter = true
ReferrerPolicy = "same-origin"
[frontends.frontend1.routes.app1]
rule = "Host:app1.my-top-domain.com"
traefik-forward-auth docker:
version: '3'
services:
traefik-forward-auth:
image: thomseddon/traefik-forward-auth
environment:
- CLIENT_ID="my client id from Google Oauth2"
- CLIENT_SECRET="my client secret from Google Oauth2"
- SECRET="I entered a password here, just letters and numbers"
- COOKIE_SECURE=false
- DOMAIN=my-top-domain.com
networks:
- ovpn_network
Google Oauth consent screen: Entered application name and also Authorized domains ("my-top-domain.com"). Left everything else blank or by defaults.
Google Credentials: Create an Oauth2 credentials, entering a name for the application and then added the following authorized redirects URIs:
https://app1.my-top-domain.com/_oauth https://app1.my-top-domain.com
I tried first time only adding the https://app1.my-top-domain.com/_oauth, but that didnt work so added the second one just in case - still get not authorized though...
thomseddon
commented
5 years ago Are you using https? If so, you will need to leave COOKIE_SECURE=true
Admin9705
commented
5 years ago I use ansible for deployment, but works well with all the intergrated cotainers at @Svarto. Hopefully this post may help. @thomseddon does the lifetime look right to you? (sorry if this piece is offtopic).
# traefik.toml
################################################################
# Global configuration
################################################################
# Log level
#
# Optional
# Default: "ERROR"
# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
insecureskipverify = true
logLevel = "WARN"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
MinVersion = "VersionTLS12"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
[entryPoints.monitor]
address = ":8081"
[retry]
[acme]
acmeLogging = true
email = "{{email.stdout}}"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
[acme.dnsChallenge]
provider = "{{provider.stdout}}"
delayBeforeCheck = 30
[[acme.domains]]
main = "{{domain.stdout}}"
[[acme.domains]]
main = "*.{{domain.stdout}}"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "{{domain.stdout}}"
watch = true
exposedbydefault = false
network = "plexguide"---
- hosts: localhost
gather_facts: false
tasks:
# FACTS #######################################################################
- name: "Set Known Facts"
set_fact:
pgrole: "oauth"
intport: "4181"
extport: "4181"
image: "thomseddon/traefik-forward-auth"
# CORE (MANDATORY) ############################################################
- name: CronJob Role
include_tasks: "/opt/plexguide/containers/_core.yml"
- name: Register Auth Path
shell: "cat /var/plexguide/shield.clientid"
register: clientid
- name: Register Auth Path
shell: "cat /var/plexguide/shield.clientsecret"
register: clientsecret
- name: Register WhiteListed E-Mails
shell: "cat /var/plexguide/pgshield.compiled"
register: whitelisted
# LABELS ######################################################################
- name: "Setting PG Labels"
set_fact:
pg_labels:
traefik.enable: "true"
traefik.port: "4181"
traefik.backend: "oauth"
traefik.frontend.rule: "Host:oauth.{{domain.stdout}}"
traefik.frontend.auth.forward.address: "http://oauth:4181"
- name: "Setting PG Volumes"
set_fact:
pg_volumes:
- "/etc/localtime:/etc/localtime:ro"
- name: "Setting PG ENV"
set_fact:
pg_env:
PUID: "1000"
PGID: "1000"
CLIENT_ID: "{{clientid.stdout}}"
CLIENT_SECRET: "{{clientsecret.stdout}}"
SECRET: plexguide
COOKIE_DOMAINS: "{{domain.stdout}}"
COOKIE_SECURE: true
LIFETIME: 2592000
AUTH_HOST: "oauth.{{domain.stdout}}"
WHITELIST: "{{whitelisted.stdout}}"
# MAIN DEPLOYMENT #############################################################
- name: "Deploying Container - {{pgrole}}"
docker_container:
name: "{{pgrole}}"
image: "{{image}}"
pull: "yes"
env: "{{pg_env}}"
restart_policy: unless-stopped
networks:
- name: plexguide
aliases:
- "plexguide"
state: started
labels: "{{pg_labels}}"This is a little offtopic, I wouldn't recommend such a long lifetime as even if the users email/user account is shut down, their session will still be valid with traefik. Forcing them to log in again checks they're still active (but this may be OK for your use case).
I'm closing this issue but I'll be happy to open again with more info.
osotechie
commented
5 years ago Hi,
I've just setup traefik-forward-auth docker container for the first time, and after some playing in both overlay and auth-host modes I get the same "Not Authroized" error displayed.
I ran the container up with debug mode and am getting the following error: Error validating csrf cookie: CSRF cookie does not match state
This is my config (with secrets removed of course):
traefik-forward-auth container: Traefik-Forward-Auth: container_name: Traefik-Forward-Auth hostname: Traefik-Forward-Auth image: thomseddon/traefik-forward-auth networks: IoT: ipv4_address: 10.1.11.253 environment:
labels:
whoami container which I'm trying to forward auth as a test: Whoami: container_name: Whoami hostname: whoami image: containous/whoami networks: IoT: ipv4_address: 10.1.11.251 labels:
- "traefik.enable=true"
- "traefik.frontend.entryPoints=http,https"
- "traefik.default.protocol=http"
- "traefik.default.port=80"
- "traefik.frontend.rule=Host:whoami.<domain>"
# Traefik - SSL
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=<domain>"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
# Traefik - Whitelisting
- "traefik.frontend.auth.forward.address=http://10.1.11.253:4181"
- traefik.frontend.auth.forward.authResponseHeaders = ["X-Forwarded-User"]As I am using labels for everything instead of making changes to the treafik.toml file I added the auth.forward.address and auth.forward.authResponseHeaders to the treafik-forward-auth container as I saw something around this in another post when using auth-host mode. Which solved my endless login loop when it wasnt in there.
I have gone through as setup the Google side as per the instructions, and added https://auth.
Any ideas, I have tried multiple options around the DOMAIN and WHITELIST options, and multiple google accounts. And all give me the same problem. The error probably suggests its not something with the accounts Im using somwhere else Im guessing?
Thanks in advance. O
Admin9705
commented
5 years ago this is a bit related, but have it all deployed @ https://github.com/PGBlitz/PGShield - We use traefik and have the menu built out. some clues may help you.
On Thu, Feb 28, 2019 at 6:30 AM owendemooy notifications@github.com wrote:
Hi,
I've just setup traefik-forward-auth docker container for the first time, and after some playing in both overlay and auth-host modes I get the same "Not Authroized" error displayed.
I ran the container up with debug mode and am getting the following error: Error validating csrf cookie: CSRF cookie does not match state
This is my config (with secrets removed of course):
traefik-forward-auth container: Traefik-Forward-Auth: container_name: Traefik-Forward-Auth hostname: Traefik-Forward-Auth image: thomseddon/traefik-forward-auth networks: IoT: ipv4_address: 10.1.11.253 environment: - CLIENT_ID=
- CLIENT_SECRET= - SECRET= - COOKIE_DOMAINS= - COOKIE_SECURE=true - AUTH_HOST=auth. - WHITELIST=email>@<domain - LOG_LEVEL=debug - LOG_FORMAT=json # When using an auth host, adding it here prompts traefik to generate certs labels: # Traefik - General - "traefik.enable=true" - "traefik.default.port=4181" - "traefik.frontend.rule=Host:auth. " # Traefik - SSL - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost= " - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" # Traefik - Whitelisting - "traefik.frontend.auth.forward.address=http://10.1.11.253:4181" - traefik.frontend.auth.forward.authResponseHeaders = ["X-Forwarded-User"] whoami container which I'm trying to forward auth as a test: Whoami: container_name: Whoami hostname: whoami image: containous/whoami networks: IoT: ipv4_address: 10.1.11.251 labels: # Traefik - General - "traefik.enable=true" - "traefik.frontend.entryPoints=http,https" - "traefik.default.protocol=http" - "traefik.default.port=80" - "traefik.frontend.rule=Host:whoami.
" # Traefik - SSL - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost= " - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true" # Traefik - Whitelisting - "traefik.frontend.auth.forward.address=http://10.1.11.253:4181" - traefik.frontend.auth.forward.authResponseHeaders = ["X-Forwarded-User"] I have gone through as setup the Google side as per the instructions, and added https://auth./_oauth and https://whoami./_oauth (for when I was testing in overlay mode.
Any ideas, I have tried multiple options around the DOMAIN and WHITELIST options, and multiple google accounts. And all give me the same problem. The error probably suggests its not something with the accounts Im using somwhere else Im guessing?
Thanks in advance. O
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/thomseddon/traefik-forward-auth/issues/20#issuecomment-468239480, or mute the thread https://github.com/notifications/unsubscribe-auth/AXlN3rsapOgHBN6nnsMRcAAPmmjPl9Isks5vR73egaJpZM4Zb_Hi .
Hi,
I really like the idea of having a centralized authentication for my self-hosted applications. I struggle to set it up though, I use the "overlay" mode and when going to my domain I did get redirected to the google login page. However, after logging in I just get a white page with "Not Authorized" written on top.
What can I do to correct this? Do I need to do any setup to make sure the https://home-service-domain.com/_oauth gets correctly redirected to the traefik-forward-auth container or?
Would really appreciate your help in this, thanks alot!