search

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.15k stars 409 forks source link

I don't fully understand how/where rules are specified #321

Open ziglotusgithub opened 2 years ago

ziglotusgithub commented 2 years ago

I'm attempting to use the rules configuration to allow local subnets to bypass authentication. I have the following:

version: '3.3'
services:
  traefik:
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
      - './traefik.toml:/traefik.toml'
      - './traefik_dynamic.toml:/traefik_dynamic.toml'
      - './acme.json:/acme.json'
    ports:
      - '80:80'
      - '443:443'
    networks:
      - web
    container_name: traefik
    image: 'traefik:latest'
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth
    restart: always
    container_name: traefik_auth
    labels:
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
    networks:
      - web
    environment:
      - CLIENT_ID=<redacted>
      - CLIENT_SECRET=<redacted>
      - SECRET=<redacted>
      - WHITELIST=<redacted>
      - LOG_LEVEL=info
      - LIFETIME=604800
      - COOKIE_DOMAIN=<redacted>
      - CONFIG=rules
networks:
  web:
    external: true

As specified above, I use a file called 'rules' with the following:

rule.allow-subnet.action=allow
rule.allow-subnet.rule=HeadersRegexp(`X-Real-Ip`, `^192\.168\.5\.`)

However, that doesn't seem to be applying at all. I don't seem to understand if the rules should be applied here or rather at the docker-compose files for the individual containers and, if so, how/where that works. Please assist.

chelming commented 2 years ago

you're not mounting your rules file. try something like this

version: '3.3'
services:
  traefik:
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
      - './traefik.toml:/traefik.toml'
      - './traefik_dynamic.toml:/traefik_dynamic.toml'
      - './acme.json:/acme.json'
    ports:
      - '80:80'
      - '443:443'
    networks:
      - web
    container_name: traefik
    image: 'traefik:latest'
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth
    restart: always
    container_name: traefik_auth
    labels:
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
    networks:
      - web
    volumes:
      - ${HOME}/docker/traefik-forward-auth/rules:/rules
    environment:
      - CLIENT_ID=<redacted>
      - CLIENT_SECRET=<redacted>
      - SECRET=<redacted>
      - WHITELIST=<redacted>
      - LOG_LEVEL=info
      - LIFETIME=604800
      - COOKIE_DOMAIN=<redacted>
      - CONFIG=/rules
networks:
  web:
    external: true

just update your path in that volumes section

ziglotusgithub commented 2 years ago

just update your path in that volumes section

Absolute legend mate, that makes total sense and works perfectly. Thanks a million, mate!