상현에 하루하루
All 개발자의 하루

Traefik OAuth

( 업데이트: )

TL;DR

fauth:
    container_name: fauth
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID # REDACTED
      - PROVIDERS_GOOGLE_CLIENT_SECRET=$GOOGLE_CLIENT_ID # REDACTED
      - SECRET=$OAUTH_SECRET
      - INSECURE_COOKIE=false
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.fauth.forwardauth.address=http://fauth:4181
      - traefik.http.middlewares.fauth.forwardauth.authResponseHeaders=X-Forwarded-User
      - traefik.http.services.fauth.loadbalancer.server.port=4181

    #use
    organizr:
        image: linuxserver/organizr:latest
        container_name: organizr
        restart: unless-stopped
        labels:
            - traefik.enable=true
            - traefik.http.routers.organizr.rule=Host(`organizr.example.com`)
            - traefik.http.routers.organizr.entrypoints=web
            - traefik.http.routers.organizr.middlewares=fauth

위처럼 설정하면 된다.

실제로 사용한예시

version: "3.8"

########################### NETWORKS
networks:
  default:
    driver: bridge
    name: traefik_proxy
  db_net:
    external:
      name: db_net
  db_work:
    external:
      name: db_work

########################### SERVICES
services:
  # Traefik 2 - Reverse Proxy
  traefik:
    image: traefik:v2.4
    container_name: DO__traefik
    restart: unless-stopped
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/rules:/rules
      - ./traefik/acme:/acme
      - ./traefik/traefik.yaml:/etc/traefik/traefik.yaml
    labels:
      - traefik.enable=true
      ## HTTP Routers
      - traefik.http.routers.202106__traefik.rule=Host(`traefik.${DOMAINNAME}`)
      - traefik.http.routers.202106__traefik.entrypoints=websecure
      - traefik.http.routers.202106__traefik.tls.certresolver=leresolver
      - traefik.http.routers.202106__traefik.middlewares=fauth
      ## Service
      - traefik.http.services.202106__traefik.loadbalancer.server.port=8080
    networks:
      - db_net
      - db_work
      - default

  fauth:
    container_name: fauth
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID} # REDACTED
      - PROVIDERS_GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_ID} # REDACTED
      - SECRET=$O{AUTH_SECRET}
      - INSECURE_COOKIE=false
      - WHITELIST=${EMAIL}
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.fauth.forwardauth.address=http://fauth:4181
      - traefik.http.middlewares.fauth.forwardauth.authResponseHeaders=X-Forwarded-User
      - traefik.http.services.fauth.loadbalancer.server.port=4181

fauth를 미들웨어로 추가하고 해당 미들웨어를 Google OAuth를 적용할 컨테이너의 미들웨어로 추가해주면 된다.

그러면 Google OAuth를 인증받고 해당 라우트로 들어갈 수 있다.

issue) White list not working

해당 컨테이너의 옵션으로 white list를 넣어서 원하는 인원만 접속할 수 있게하는 옵션이 있는데 해당 옵션이 재대로 작동하지 않는다.

https://github.com/Hansanghyeon/synology-traefik/issues/3


발단

https://github.com/Hansanghyeon/synology-traefik/discussions/2

참고