From b598e7225fc3ebb49d996bbd382c9240001724d5 Mon Sep 17 00:00:00 2001 From: mcmikemn Date: Fri, 26 Jul 2024 14:58:06 -0400 Subject: [PATCH 1/4] added defaut image values because docker logs were warning that a null default value could be problematic. --- traefik-forward-auth/docker-compose.yaml | 2 +- traefik/docker-compose.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/traefik-forward-auth/docker-compose.yaml b/traefik-forward-auth/docker-compose.yaml index 83f8222d..5fb852fd 100644 --- a/traefik-forward-auth/docker-compose.yaml +++ b/traefik-forward-auth/docker-compose.yaml @@ -3,7 +3,7 @@ services: build: context: traefik-forward-auth args: - BASE_IMAGE: ${TRAEFIK_FORWARD_AUTH_BASE_IMAGE} + BASE_IMAGE: ${TRAEFIK_FORWARD_AUTH_BASE_IMAGE:-thomseddon/traefik-forward-auth:2} STEP_CA_ENABLED: ${TRAEFIK_FORWARD_AUTH_STEP_CA_ENABLED} STEP_CA_ENDPOINT: ${TRAEFIK_FORWARD_AUTH_STEP_CA_ENDPOINT} STEP_CA_FINGERPRINT: ${TRAEFIK_FORWARD_AUTH_STEP_CA_FINGERPRINT} diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml index f4e29d69..063bdda8 100644 --- a/traefik/docker-compose.yaml +++ b/traefik/docker-compose.yaml @@ -122,7 +122,7 @@ services: build: context: . args: - TRAEFIK_IMAGE: ${TRAEFIK_IMAGE} + TRAEFIK_IMAGE: ${TRAEFIK_IMAGE:-traefik:v3.1} BLOCKPATH_MODULE: ${TRAEFIK_BLOCKPATH_MODULE} BLOCKPATH_GIT_BRANCH: master REFERER_MODULE: ${TRAEFIK_REFERER_MODULE} @@ -240,7 +240,7 @@ services: error-pages: profiles: - error-pages - image: ${TRAEFIK_ERROR_PAGES_IMAGE} + image: ${TRAEFIK_ERROR_PAGES_IMAGE:-tarampampam/error-pages:2.25.0} environment: TEMPLATE_NAME: ${TRAEFIK_ERROR_PAGES_TEMPLATE} labels: From 33afd6bb2c7c373e53ea9d71bb7f691f7a171467 Mon Sep 17 00:00:00 2001 From: Mike Wooskey Date: Fri, 26 Jul 2024 19:18:22 +0000 Subject: [PATCH 2/4] adding dokcer-compose.instance.yaml --- traefik-forward-auth/Makefile | 13 +++++ .../docker-compose.instance.yaml | 47 +++++++++++++++++++ traefik-forward-auth/docker-compose.yaml | 11 +---- 3 files changed, 61 insertions(+), 10 deletions(-) create mode 100644 traefik-forward-auth/docker-compose.instance.yaml diff --git a/traefik-forward-auth/Makefile b/traefik-forward-auth/Makefile index bb767f91..d034099d 100644 --- a/traefik-forward-auth/Makefile +++ b/traefik-forward-auth/Makefile @@ -16,6 +16,19 @@ config-hook: @test "google" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_google.sh || true @test "discord" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_discord.sh || true +.PHONY: override-hook +override-hook: +#### This sets the override template variables for docker-compose.instance.yaml: +#### The template dynamically renders to docker-compose.override_{DOCKER_CONTEXT}_{INSTANCE}.yaml +#### These settings are used to automatically generate the service container labels, and traefik config, inside the template. +#### The variable arguments have three forms: `=` `=:` `=@` +#### name=VARIABLE_NAME # sets the template 'name' field to the value of VARIABLE_NAME found in the .env file +#### # (this hardcodes the value into docker-compose.override.yaml) +#### name=:VARIABLE_NAME # sets the template 'name' field to the literal string 'VARIABLE_NAME' +#### # (this hardcodes the string into docker-compose.override.yaml) +#### name=@VARIABLE_NAME # sets the template 'name' field to the literal string '${VARIABLE_NAME}' +#### # (used for regular docker-compose expansion of env vars by name.) + @${BIN}/docker_compose_override ${ENV_FILE} project=:traefik-forward-auth instance=@TRAEFIK_FORWARD_AUTH_INSTANCE traefik_host=@TRAEFIK_FORWARD_AUTH_HOST http_auth=TRAEFIK_FORWARD_AUTH_HTTP_AUTH http_auth_var=@TRAEFIK_FORWARD_AUTH_HTTP_AUTH ip_sourcerange=@TRAEFIK_FORWARD_AUTH_IP_SOURCERANGE oauth2=TRAEFIK_FORWARD_AUTH_OAUTH2 authorized_group=TRAEFIK_FORWARD_AUTH_OAUTH2_AUTHORIZED_GROUP enable_mtls_auth=TRAEFIK_FORWARD_AUTH_MTLS_AUTH mtls_authorized_certs=TRAEFIK_FORWARD_AUTH_MTLS_AUTHORIZED_CERTS .PHONY: shell shell: diff --git a/traefik-forward-auth/docker-compose.instance.yaml b/traefik-forward-auth/docker-compose.instance.yaml new file mode 100644 index 00000000..41bc7687 --- /dev/null +++ b/traefik-forward-auth/docker-compose.instance.yaml @@ -0,0 +1,47 @@ +#! This is a ytt template file for docker-compose.override.yaml +#! References: +#! https://carvel.dev/ytt +#! https://docs.docker.com/compose/extends/#adding-and-overriding-configuration +#! https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance + +#! ### Standard project vars: +#@ load("@ytt:data", "data") +#@ project = data.values.project +#@ instance = data.values.instance +#@ context = data.values.context +#@ traefik_host = data.values.traefik_host +#@ ip_sourcerange = data.values.ip_sourcerange +#@ enable_http_auth = len(data.values.http_auth.strip()) > 0 +#@ http_auth = data.values.http_auth_var +#@ enable_oauth2 = data.values.oauth2 == "true" +#@ authorized_group = data.values.authorized_group +#@ enable_mtls_auth = data.values.enable_mtls_auth == "true" +#@ mtls_authorized_certs = data.values.mtls_authorized_certs +#@ enabled_middlewares = [] + +#@yaml/text-templated-strings +services: + traefik-forward-auth: + #@ service = "traefik-forward-auth" + labels: + #! Services must opt-in to be proxied by Traefik: + - "traefik.enable=true" + + #! 'router' is the fully qualified key in traefik for this router/service: project + instance + service + #@ router = "{}-{}-{}".format(project,instance,service) + + #! The host matching router rule: + - "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)" + - "traefik.http.routers.(@= router @).entrypoints=websecure" + - "traefik.http.routers.(@= router @).tls=true" + + #! Override the default port that the app binds to: + #! You don't normally need to do this, as long as your image has + #! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it: + - "traefik.http.services.(@= router @).loadbalancer.server.port=4181" + + - "traefik.http.middlewares.(@= router @)-traefik-forward-auth.forwardAuth.address=http://127.0.0.1:4181" + - "traefik.http.middlewares.(@= router @)-traefik-forward-auth.forwardAuth.authResponseHeaders=X-Forwarded-User" + + #! Apply all middlewares (do this at the end!) + - "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)" diff --git a/traefik-forward-auth/docker-compose.yaml b/traefik-forward-auth/docker-compose.yaml index 5fb852fd..ec3320f8 100644 --- a/traefik-forward-auth/docker-compose.yaml +++ b/traefik-forward-auth/docker-compose.yaml @@ -30,16 +30,7 @@ services: command: - "--rule.http-options-requests.action=allow" - "--rule.http-options-requests.rule=Method(`OPTIONS`)" - labels: - - "traefik.enable=true" - - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181" - - "traefik.http.middlewares.traefik-forward-auth.forwardAuth.address=http://127.0.0.1:4181" - - "traefik.http.middlewares.traefik-forward-auth.forwardAuth.authResponseHeaders=X-Forwarded-User" - - - "traefik.http.routers.traefik-forward-auth.rule=Host(`${TRAEFIK_FORWARD_AUTH_HOST}`)" - - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure" - - "traefik.http.routers.traefik-forward-auth.tls=true" - - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth" + labels: [] ports: - 127.0.0.1:4181:4181 restart: always From b00a3abdfff416f4b0f89d5f9b7f757e6145b4a5 Mon Sep 17 00:00:00 2001 From: mcmikemn Date: Sun, 28 Jul 2024 10:29:27 -0400 Subject: [PATCH 3/4] instantiating TFA --- traefik-forward-auth/.env-dist | 26 ++++++++++++------- traefik-forward-auth/Makefile | 13 +++++----- ...onfigure_gitea.sh => configure_forgejo.sh} | 18 ++++++------- .../docker-compose.instance.yaml | 18 +++++-------- traefik-forward-auth/docker-compose.yaml | 2 ++ 5 files changed, 41 insertions(+), 36 deletions(-) rename traefik-forward-auth/{configure_gitea.sh => configure_forgejo.sh} (60%) diff --git a/traefik-forward-auth/.env-dist b/traefik-forward-auth/.env-dist index 85ea37d2..67f2e762 100644 --- a/traefik-forward-auth/.env-dist +++ b/traefik-forward-auth/.env-dist @@ -1,26 +1,32 @@ TRAEFIK_FORWARD_AUTH_BASE_IMAGE=thomseddon/traefik-forward-auth:2 +## Set central auth specific domain that will handle auth for all other domains: +TRAEFIK_FORWARD_AUTH_HOST=auth.example.com +TRAEFIK_FORWARD_AUTH_HTTPS_PORT=443 + +# The name of this instance. If there is only one instance, use 'default'. +TRAEFIK_FORWARD_AUTH_INSTANCE= + ## Oauth secret: CHANGE THIS: ## use `openssl rand -base64 45` TRAEFIK_FORWARD_AUTH_SECRET= TRAEFIK_FORWARD_AUTH_LOG_LEVEL=debug -## Set central auth specific domain that will handle auth for all other domains: -TRAEFIK_FORWARD_AUTH_HOST=auth.example.com -TRAEFIK_FORWARD_AUTH_HTTPS_PORT=443 - -## Set your gitea domain (only used for helping construct the other URLs) -TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN=git.example.com +## Set your forgejo domain (only used for helping construct the other URLs) +TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN=git.example.com ## Set cookie domain as the root domain for all subdomains: TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN=example.com +## Set cookie name: +TRAEFIK_FORWARD_AUTH_COOKIE_NAME=_forward_auth + TRAEFIK_FORWARD_AUTH_COOKIE_LIFETIME=43200 TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT= -## Select the OAuth provider you want to use: (gitea, github, or google are provided) -TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER=gitea +## Select the OAuth provider you want to use: (forgejo, github, or google are provided) +TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER=forgejo ## OAuth provider config: TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth @@ -33,10 +39,10 @@ TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_SCOPE= TRAEFIK_FORWARD_AUTH_PROVIDERS_GOOGLE_CLIENT_ID= TRAEFIK_FORWARD_AUTH_PROVIDERS_GOOGLE_CLIENT_SECRET= -## Example for Gitea: +## Example for Forgejo: ## Create new Oauth2 app here: https://git.example.com/user/settings/applications #TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth -## Change the domain to your own gitea instance URL (keep the paths unchanged): +## Change the domain to your own forgejo instance URL (keep the paths unchanged): #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://git.example.com/login/oauth/authorize #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://git.example.com/login/oauth/access_token #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL=https://git.example.com/api/v1/user diff --git a/traefik-forward-auth/Makefile b/traefik-forward-auth/Makefile index d034099d..abdd10c5 100644 --- a/traefik-forward-auth/Makefile +++ b/traefik-forward-auth/Makefile @@ -1,20 +1,21 @@ ROOT_DIR = .. include ${ROOT_DIR}/_scripts/Makefile.projects +include ${ROOT_DIR}/_scripts/Makefile.instance .PHONY: config-hook config-hook: @${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_HOST "Enter the traefik-foward-auth host domain name" auth.${ROOT_DOMAIN} + @${BIN}/reconfigure ${ENV_FILE} TRAEFIK_FORWARD_AUTH_INSTANCE=$${instance:-default} @${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN "Enter the cookie domain name (ie ROOT domain)" ${ROOT_DOMAIN} + @${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_COOKIE_NAME "Enter the cookie name" "_forward_auth_${CONTEXT_INSTANCE}" @${BIN}/reconfigure_password ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SECRET 45 @echo @ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_https_port.sh || true @echo - @${BIN}/reconfigure_choose ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER "Select the OAuth provider to use" "gitea" "github" "google" "discord" - @test "gitea" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_gitea.sh || true - @test "github" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_github.sh || true - @test "google" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_google.sh || true - @test "discord" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_discord.sh || true + @${BIN}/reconfigure_choose ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER "Select the OAuth provider to use" "forgejo" "github" "google" "discord" + @ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_$$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER).sh + @echo .PHONY: override-hook override-hook: @@ -28,7 +29,7 @@ override-hook: #### # (this hardcodes the string into docker-compose.override.yaml) #### name=@VARIABLE_NAME # sets the template 'name' field to the literal string '${VARIABLE_NAME}' #### # (used for regular docker-compose expansion of env vars by name.) - @${BIN}/docker_compose_override ${ENV_FILE} project=:traefik-forward-auth instance=@TRAEFIK_FORWARD_AUTH_INSTANCE traefik_host=@TRAEFIK_FORWARD_AUTH_HOST http_auth=TRAEFIK_FORWARD_AUTH_HTTP_AUTH http_auth_var=@TRAEFIK_FORWARD_AUTH_HTTP_AUTH ip_sourcerange=@TRAEFIK_FORWARD_AUTH_IP_SOURCERANGE oauth2=TRAEFIK_FORWARD_AUTH_OAUTH2 authorized_group=TRAEFIK_FORWARD_AUTH_OAUTH2_AUTHORIZED_GROUP enable_mtls_auth=TRAEFIK_FORWARD_AUTH_MTLS_AUTH mtls_authorized_certs=TRAEFIK_FORWARD_AUTH_MTLS_AUTHORIZED_CERTS + @${BIN}/docker_compose_override ${ENV_FILE} project=:traefik-forward-auth instance=@TRAEFIK_FORWARD_AUTH_INSTANCE traefik_host=@TRAEFIK_FORWARD_AUTH_HOST .PHONY: shell shell: diff --git a/traefik-forward-auth/configure_gitea.sh b/traefik-forward-auth/configure_forgejo.sh similarity index 60% rename from traefik-forward-auth/configure_gitea.sh rename to traefik-forward-auth/configure_forgejo.sh index 0f877a60..047809bb 100644 --- a/traefik-forward-auth/configure_gitea.sh +++ b/traefik-forward-auth/configure_forgejo.sh @@ -6,28 +6,28 @@ source ${BIN}/funcs.sh ROOT_DOMAIN=$(get_root_domain) DOCKER_CONTEXT=$(${BIN}/docker_context) -${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN "Enter your gitea domain name" git.${ROOT_DOMAIN} +${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN "Enter your forgejo domain name" git.${ROOT_DOMAIN} -GITEA_DOMAIN=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN) +FORGEJO_DOMAIN=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN) HTTPS_PORT=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT) ${BIN}/reconfigure ${ENV_FILE} \ - TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/login/oauth/authorize" \ - TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/login/oauth/access_token" \ - TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/api/v1/user" + TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/login/oauth/authorize" \ + TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/login/oauth/access_token" \ + TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/api/v1/user" echo "" -echo "Opening Gitea applications page... (login as root)" -echo "https://${GITEA_DOMAIN}${HTTPS_PORT}/user/settings/applications" +echo "Opening Forgejo applications page... (login as root)" +echo "https://${FORGEJO_DOMAIN}${HTTPS_PORT}/user/settings/applications" echo "You should now create a new OAuth2 application: " echo "Set the 'Application Name' the same as AUTH_HOST (or whatever you like)" echo "Set the 'Redirect URL' using https://AUTH_HOST/_oauth, eg. https://auth.${ROOT_DOMAIN}/_oauth" -xdg-open https://${GITEA_DOMAIN}${HTTPS_PORT}/user/settings/applications +xdg-open https://${FORGEJO_DOMAIN}${HTTPS_PORT}/user/settings/applications ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_CLIENT_ID "Copy and Paste the OAuth2 client ID here" ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET "Copy and Paste the OAuth2 client secret here" -${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT "Enter the logout redirect URL" https://${GITEA_DOMAIN}$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT)/logout +${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT "Enter the logout redirect URL" https://${FORGEJO_DOMAIN}$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT)/logout ${BIN}/reconfigure ${ENV_FILE} TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth diff --git a/traefik-forward-auth/docker-compose.instance.yaml b/traefik-forward-auth/docker-compose.instance.yaml index 41bc7687..81212d3d 100644 --- a/traefik-forward-auth/docker-compose.instance.yaml +++ b/traefik-forward-auth/docker-compose.instance.yaml @@ -10,13 +10,6 @@ #@ instance = data.values.instance #@ context = data.values.context #@ traefik_host = data.values.traefik_host -#@ ip_sourcerange = data.values.ip_sourcerange -#@ enable_http_auth = len(data.values.http_auth.strip()) > 0 -#@ http_auth = data.values.http_auth_var -#@ enable_oauth2 = data.values.oauth2 == "true" -#@ authorized_group = data.values.authorized_group -#@ enable_mtls_auth = data.values.enable_mtls_auth == "true" -#@ mtls_authorized_certs = data.values.mtls_authorized_certs #@ enabled_middlewares = [] #@yaml/text-templated-strings @@ -28,20 +21,23 @@ services: - "traefik.enable=true" #! 'router' is the fully qualified key in traefik for this router/service: project + instance + service - #@ router = "{}-{}-{}".format(project,instance,service) + #! #@ router = "{}-{}-{}".format(project,instance,service) + #@ router = "traefik-forward-auth" #! The host matching router rule: - "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)" - "traefik.http.routers.(@= router @).entrypoints=websecure" + - "traefik.http.routers.(@= router @).middlewares=traefik-forward-auth" - "traefik.http.routers.(@= router @).tls=true" + #! #@ enabled_middlewares.append("{}-forwardAuth".format(router)) + - "traefik.http.middlewares.(@= router @).forwardAuth.address=http://127.0.0.1:4181" + - "traefik.http.middlewares.(@= router @).forwardAuth.authResponseHeaders=X-Forwarded-User" + #! Override the default port that the app binds to: #! You don't normally need to do this, as long as your image has #! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it: - "traefik.http.services.(@= router @).loadbalancer.server.port=4181" - - "traefik.http.middlewares.(@= router @)-traefik-forward-auth.forwardAuth.address=http://127.0.0.1:4181" - - "traefik.http.middlewares.(@= router @)-traefik-forward-auth.forwardAuth.authResponseHeaders=X-Forwarded-User" - #! Apply all middlewares (do this at the end!) - "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)" diff --git a/traefik-forward-auth/docker-compose.yaml b/traefik-forward-auth/docker-compose.yaml index ec3320f8..a21d5c88 100644 --- a/traefik-forward-auth/docker-compose.yaml +++ b/traefik-forward-auth/docker-compose.yaml @@ -16,6 +16,8 @@ services: - LOG_LEVEL=${TRAEFIK_FORWARD_AUTH_LOG_LEVEL} - AUTH_HOST=${TRAEFIK_FORWARD_AUTH_HOST}${TRAEFIK_FORWARD_AUTH_HTTPS_PORT} - COOKIE_DOMAIN=${TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN} + - COOKIE_NAME=${TRAEFIK_FORWARD_AUTH_COOKIE_NAME} + - CSRF_COOKIE_NAME=${TRAEFIK_FORWARD_AUTH_COOKIE_NAME}_csrf - DEFAULT_PROVIDER=${TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER} - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL} - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL} From 3c6be27ad53e58f58aea5acbf5c2a2ac5d3dce41 Mon Sep 17 00:00:00 2001 From: mcmikemn Date: Sun, 28 Jul 2024 10:30:25 -0400 Subject: [PATCH 4/4] set default value for docker image envvars because logs were sending WARNs that null default null values could be problematic. --- traefik-forward-auth/traefik-forward-auth/Dockerfile | 2 +- traefik/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/traefik-forward-auth/traefik-forward-auth/Dockerfile b/traefik-forward-auth/traefik-forward-auth/Dockerfile index 730bf8cd..b016ffe0 100644 --- a/traefik-forward-auth/traefik-forward-auth/Dockerfile +++ b/traefik-forward-auth/traefik-forward-auth/Dockerfile @@ -14,5 +14,5 @@ RUN ([[ "$STEP_CA_ENABLED" == "true" ]] && [[ "$STEP_CA_ZERO_CERTS" != "true" ]] cat /root/.step/certs/root_ca.crt >> /etc/ssl/certs/ca-certificates.crt) || true ## Copy Step-CA certificate store into the otherwise unmodified base image: -FROM ${BASE_IMAGE} +FROM ${BASE_IMAGE:-thomseddon/traefik-forward-auth:2} COPY --from=step_ca /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs diff --git a/traefik/Dockerfile b/traefik/Dockerfile index 6205dd49..84110569 100644 --- a/traefik/Dockerfile +++ b/traefik/Dockerfile @@ -29,7 +29,7 @@ RUN git clone https://${CERT_AUTH_MODULE}.git /plugins-local/src/github.com/fame RUN git clone https://${MTLS_HEADER_MODULE}.git /plugins-local/src/github.com/pnxs/traefik-plugin-mtls-header \ --depth 1 --single-branch --branch ${MTLS_HEADER_GIT_BRANCH} -FROM ${TRAEFIK_IMAGE} +FROM ${TRAEFIK_IMAGE:--traefik:v3.1} ARG TRAEFIK_UID TRAEFIK_GID TRAEFIK_DOCKER_GID COPY --from=plugins /plugins-local /plugins-local COPY entrypoint.sh /entrypoint_ensure_config.sh