Open IngwiePhoenix opened 6 months ago
travisghansen
commented
6 months ago Sure, you could pretty easily do that with: https://github.com/travisghansen/external-auth-server/blob/master/PLUGINS.md#request_js
Or a dedicated plugin could easily be created to support that as well.
IngwiePhoenix
commented
6 months ago Oh, interesting! Kinda had thought the JS ran browser-side; that's neat.
Any docs on which context the snippet runs in (vars, funcs, methods, ...)?
travisghansen
commented
6 months ago Super easy: https://github.com/travisghansen/external-auth-server/blob/master/src/plugin/request_js/index.js#L29
You don't need to return anything, just set the values on the response object (ie: set 200).
Hello there!
I have been trying out a few auth proxies for Traefik but so far, none of them actually implemented whitelisting IP CIDRs.
Essentially, my kubernetes cluster runs at home and is exposed publicy. When I am at home, I would like to be able to use most of my services without needing to go through the login flow. But when I am away, or share access by creating users in Keycloak, I would like them to need to authenticate. Effectively, I want to whitelist my home network's CIDR, and enforce auth everywhere else.
Traefik is configured to receive the real request IP (with
hostNetworkand an apropriatednsPolicyand whatnot). So all that I need now is the ability to use that to figure out if it matches my home network's CIDR or not.Is that possible?
Thanks and kind regards, Ingwie