cfrigi83/traefik-examples/example_oauth
The goal of this example is to make more secure access to traefik services with a login on the Google account (and maybe with a 2FA). This approach is recommended to the services that you want to make accessible on the internet, but there is no access control (login).
- client launches the site
{SUBDOMAIN}.{DOMAIN}.com
- traefik redirect the client to Google for the login
- after successful login on Google traefik check if the user access is allowed.
- the client sees the website.
This example is not like an SSO (Single Sign-On), it put a security step before the service is launched.
- Configuration DNS to on cloudflare and add
A
record to IP of server. - One or multiple Google account.
- Install the docker and docker-compose using
bash install_docker.sh
-
Create on console.developers.google.com/apis/credentials a new project.
-
In this project create a new
ID Client OAuth2
. -
Add every container domain where you want to use OAuth
sub.example.org/_oauth
. Add/_oauth
at the end of every domain. You can put a domain that is not reachable from the internet. -
Put the client ID, client secret in the
.env
file for the variablesGOOGLE_CLIENT_ID
andGOOGLE_CLIENT_SECRET
. -
Generate a secret with the command and put the result in the
.env
file for the variableOAUTH_SECRET
.
openssl rand -hex 16
- In the variable
WHITELIST
in thesample_env
file you can define the allowed email addresses. If you have a G-Suite account you can make a domain whitelist with the variableDOMAIN
, but you have to delete the variableWHITELIST
.
More config traefik-forward-auth#configuration
- Add these labels to the docker containers you want to protect (docker-compose syntax). Please make attention to the routers and the middlewares name.
# Oauth for whoami
- "traefik.http.routers.whoami.middlewares=whoamisecure"
- "traefik.http.middlewares.whoamisecure.forwardauth.address=http://oauth:4181"
- "traefik.http.middlewares.whoamisecure.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.whoamisecure.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.whoamisecure.forwardauth.trustForwardHeader=true"
- Set up all required variable from on
sample_env
and Rename.sample_env
to.env
- Make volume
docker volume create --name postgresql
docker volume create --name n8n
docker volume create --name postgresql_data
- start the container with the command.
docker-compose up -d
- Test the connection with the site
{SUBDOMAIN}.{DOMAIN}.com
, now a redirect will happen first.