Open shoaloak opened 2 years ago
@shoaloak Did you ever get this resolved? I have the same problem.
For what I understand you have the middleware configuration in both traefik.toml file and in docker labels for traefik-forward-auth service. I would recommend to do it in one place (docker labels worked for me). At the begging I tried to configure them in traefik.toml but for unknown reason it didn't work.
Here's my configuration that works:
docker-compose.yml
version: '3.5'
services:
traefik:
image: traefik:latest
container_name: cx-example-traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- cx-example-net-dev
ports:
- 8080:80
- 443:443
volumes:
# - /etc/localtime:/etc/localtime:ro
# - /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.toml:/traefik.toml:ro
- ./traefik/services.toml:/services.toml:ro
- ./traefik/acme.json:/acme.json
- ./logs/traefik.log:/traefik.log
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
# - "traefik.http.middlewares.traefik-auth.basicauth.users=dummy:$$apr1$$iHNcpXTy$$cSNZ9EJt3fChWLn3s.v2L1"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`localhost`)"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`localhost`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=hypercpq"
- "traefik.http.routers.traefik-secure.service=api@internal"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.middlewares=traefik-forward-auth"
# https://doc.traefik.io/traefik/providers/docker/#docker-api-access
socket-proxy:
image: tecnativa/docker-socket-proxy
container_name: cx-example-socket-proxy
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
CONTAINERS: 1
networks:
- cx-example-net-dev
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
env_file:
- ./traefik-forward-auth.env
networks:
- cx-example-net-dev
labels:
- "traefik.enable=true"
- "traefik.docker.network=cx-example-net-dev"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
portainer:
image: portainer/portainer:latest
container_name: cx-example-portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- cx-example-net-dev
volumes:
# - /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- cx-example-portainer-dev:/data
labels:
- "traefik.enable=true"
- "traefik.docker.network=cx-example-net-dev"
- "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
- "traefik.http.routers.portainer.entrypoints=http"
- "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
- "traefik.http.routers.portainer-secure.entrypoints=https"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.localhost`)"
- "traefik.http.routers.portainer-secure.tls=true"
- "traefik.http.routers.portainer-secure.tls.certresolver=hypercpq"
- "traefik.http.routers.portainer-secure.middlewares=traefik-forward-auth"
# - "traefik.http.routers.portainer-secure.service=portainer"
whoami:
image: containous/whoami
container_name: cx-example-whoami
networks:
- cx-example-net-dev
labels:
- "traefik.enable=true"
- "traefik.docker.network=cx-example-net-dev"
- "traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.whoami.rule=Host(`auth.localhost`)"
- "traefik.http.routers.whoami.entrypoints=http"
- "traefik.http.routers.whoami.middlewares=whoami-https-redirect"
- "traefik.http.routers.whoami-secure.entrypoints=https"
- "traefik.http.routers.whoami-secure.rule=Host(`auth.localhost`)"
- "traefik.http.routers.whoami-secure.tls=true"
- "traefik.http.routers.whoami-secure.tls.certresolver=hypercpq"
- "traefik.http.routers.whoami-secure.middlewares=traefik-forward-auth"
volumes:
cx-example-portainer-dev:
networks:
cx-example-net-dev:
external: true
./traefik/traefik.toml
[api]
dashboard = true
debug = true
[log]
level = "INFO"
filePath = "/traefik.log"
[entryPoints]
[entryPoints.http]
address = ":80"
# Redirect to HTTPS (why wouldn't you?)
[entryPoints.http.http.redirections.entryPoint]
to = "https"
scheme = "https"
[entryPoints.https]
address = ":443"
[providers.docker]
endpoint = "tcp://socket-proxy:2375"
watch = true
exposedByDefault = false
[providers.file]
filename = "/etc/traefik/services.toml"
AUTH_HOST=https://localhost
PORT=4181
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_ISSUER_URL=<keycloak-url>/realms/<your-realm>
PROVIDERS_OIDC_CLIENT_ID=<client-id>
PROVIDERS_OIDC_CLIENT_SECRET=<client-secret>
SECRET=something-random
#COOKIE_DOMAIN=
Hope that helps.
Hi there, I'm new to traefik so excuse me if I'm asking something obvious. Also if you spot something weird and/or redundant in my config please let me know :smiley:
I'm trying to set up forward-auth together with Keycloak to provide authentication for (now just one of) my services. I have the feeling I'm close to getting it working, but I'm getting the following log error:
forward-auth | level=fatal msg="Get https://sso.mydomain.net/realms/myrealm/.well-known/openid-configuration: dial tcp <public_ip>:443: connect: connection refused"
I can access the sso URL from my personal machine over the internet, so I'm not entirely sure what is wrong. When accessing auth.mydomain.net, i get a 500 server error and nothing loads.
Traefik also picks up this error:
proxy_traefik | level=debug msg="Error calling http://forward-auth:4181. Cause: Get \"http://forward-auth:4181\": dial tcp: lookup forward-auth on 127.0.0.11:53: no such host" middlewareName=forward-auth@file middlewareType=ForwardedAuthType
So it fails to find the forward-auth container locally and keycloak publically.... Any help would be much appreciated!
Here is a mock diagram of the basic setup
My traefik compose file:
My config file:
my Keycloak compose file:
My traefik-forward-auth compose:
The service in question has the following labels:
My partial, redacted .env