Traefik 2 Basic Authorization Validation (Later)
In the previous article, we mentioned Traefik’s Forward Auth. In this article, we’ll explore how to use it.
Prepare a basic Web service Demo
In this article, we continue to use whoami as a Web service. The basic configuration file is the same as in the previous article, and no additional Settings are required for now:
version: '3'
services:
whoami:
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.test-auth-web.middlewares=https-redirect@file"
- "traefik.http.routers.test-auth-web.entrypoints=http"
- "traefik.http.routers.test-auth-web.rule=Host(`whoami.lab.com`, `whoami.lab.io`)"
- "traefik.http.routers.test-auth-ssl.entrypoints=https"
- "traefik.http.routers.test-auth-ssl.tls=true"
- "traefik.http.routers.test-auth-ssl.rule=Host(`whoami.lab.com`, `whoami.lab.io`)"
networks:
- traefik
networks:
traefik:
external: true
Copy the code
Configure the Traefik Forward Auth service using the container
Thomseddon/Traefik-forward-Auth This open source project allows us to quickly implement common OAuth/SSO functionality when using Traefik in conjunction with forward Auth middleware:
- Support multiple authentication service providers: Google/ General OAuth/General OIDC
- Support for custom request servers and specified paths for easy integration with existing systems
- Support for basic user restrictions, authorization source restrictions, support for setting cross-domain cookies
In short, as long as your system is exposed via Traefik, it is very easy to use this pattern to add a common layer of front-facing SSO to your application. The effect is similar to the login box that appears when we access the Intranet service from the external public network. Only after the login succeeds will the content we want to see be displayed.
The advantage of using this solution is that with some simple glue code, we can make no or almost no change access to the underlying application, even if the application itself does not support OAuth/SSO access, or commercial paid software that we cannot modify directly.
Version: '3' services: traefik-forward-auth: image: Thomseddon /traefik-forward-auth:v2.2.0 restart: always hostname: traefik-auth.lab.io environment: - LOG_LEVEL=trace - DEFAULT_PROVIDER=generic-oauth - PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://sso.lab.io/dialog/authorize - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=http://sso-web/oauth/token - PROVIDERS_GENERIC_OAUTH_USER_URL=http://sso-web/api/userinfo - PROVIDERS_GENERIC_OAUTH_USER_URL=http://sso-web/api/traefik-auth-user - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=abc123 - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=ssh-secret - PROVIDERS_GENERIC_OAUTH_SCOPE=* - PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE=header - SECRET=something-random - INSECURE_COOKIE=true labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.routers.traefik-auth-web.entrypoints=http" - "traefik.http.routers.traefik-auth-web.rule=Host(`traefik-auth.lab.com`, `traefik-auth.lab.io`)" - "traefik.http.routers.traefik-auth-ssl.entrypoints=https" - "traefik.http.routers.traefik-auth-ssl.rule=Host(`traefik-auth.lab.com`, `traefik-auth.lab.io`)" - "traefik.http.routers.traefik-auth-ssl.tls=true" - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181" - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User" - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181" networks: - traefik networks: traefik: external: trueCopy the code
Using this project is complicated by the number of configuration items, but it is not, and we will understand it bit by bit.
Configuring Application Parameters
We define a lot of things in the environment variables, which can be explained in the official documentation. Here I choose OAuth as the authorization service configuration. For the sake of demonstration, I run them in the same container network card of the same host. PROVIDERS_GENERIC_OAUTH_AUTH_URL is the address that the user accesses at the front of the browser. It is used for “confirm authorization” behavior. Therefore, you need to configure the network domain name for external access. PROVIDERS_GENERIC_OAUTH_TOKEN_URL, PROVIDERS_GENERIC_OAUTH_USER_URL, and PROVIDERS_GENERIC_OAUTH_USER_URL can all communicate within the container for greater efficiency.
If our SSO service can be deployed independently, the four URL variables here need to be configured as accessible domain addresses. If HTTPS protocol is used, self-signed certificates need to be rebuilt. In the next article, we will explore SSO services in more detail, so that we can get an impression.
environment:
- LOG_LEVEL=trace
- DEFAULT_PROVIDER=generic-oauth
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://sso.lab.io/dialog/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=http://sso-web/oauth/token
- PROVIDERS_GENERIC_OAUTH_USER_URL=http://sso-web/api/userinfo
- PROVIDERS_GENERIC_OAUTH_USER_URL=http://sso-web/api/traefik-auth-user
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=abc123
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=secret
- PROVIDERS_GENERIC_OAUTH_SCOPE=*
- PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE=header
- SECRET=something-random
- INSECURE_COOKIE=true
Copy the code
Next, let’s configure the service route.
Configure the application service route
Service routing is easy to configure. You can set whether to perform HTTP to automatically forward HTTPS based on your requirements and preferences. The configuration method is described in the previous article.
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.traefik-auth-web.entrypoints=http"
- "traefik.http.routers.traefik-auth-web.rule=Host(`traefik-auth.lab.com`, `traefik-auth.lab.io`)"
- "traefik.http.routers.traefik-auth-ssl.entrypoints=https"
- "traefik.http.routers.traefik-auth-ssl.tls=true"
- "traefik.http.routers.traefik-auth-ssl.rule=Host(`traefik-auth.lab.com`, `traefik-auth.lab.io`)"
...
Copy the code
The next step is to configure the Forwardauth middleware, which is similar to configuring the application parameters, since it is a co-deployment demonstration, using the application name is enough. If independent deployment is used, replace the domain name with the following one:
labels:
...
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
Copy the code
The above middleware configuration also has an authResponseHeaders configuration item that is used to transmit authenticated user information to subsequent services, which can be modified or removed according to your requirements.
Docker-compose -d: docker-compose -d: docker-compose -d: docker-compose -d: docker-compose -d: docker-compose
Configuring applications
We added a simple configuration rule to the Web service Demo configuration at the beginning of this article to add the traefik-forward-auth configuration we just configured to the application service routing:
version: '3'
services:
whoami:
image: containous/whoami
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
...
- "traefik.http.routers.test-auth-ssl.middlewares=traefik-forward-auth@docker"
...
networks:
- traefik
networks:
traefik:
external: true
Copy the code
Docker-compose up -d: docker-compose up -d: docker-compose up -d: docker-compose up -d
Verify the Forward Auth SSO effect
Open a browser, type whoami.lab. IO, and you can see that it is first redirected to HTTPS, and then to sso.lab. IO /… SSO authentication address, prompting us for the account password.
Using curl to simulate a server request:
Curl https://whoami.lab.io -v * Trying 127.0.0.1... * TCP_NODELAY set * Connected to whoami.lab. IO (127.0.0.1) port 443 (#0)... > GET/HTTP/2 > Host: whoami.lab. IO > user-agent: curl/7.64.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 307 < content-type: text/html; charset=utf-8 < date: Wed, 02 Dec 2020 13:45:35 GMT < location: https://sso.lab.io/dialog/authorize? client_id=abc123&redirect_uri=https%3A%2F%2Fwhoami.lab.io%2F_oauth&response_type=code&scope=%2A&state=396bd5c20d6bcfdffc 2426bddf619707%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.lab.io%2F < set-cookie: _forward_auth_csrf=396bd5c20d6bcfdffc2426bddf619707; Path=/; Domain=whoami.lab.io; Expires=Thu, 03 Dec 2020 01:45:35 GMT; HttpOnly < content-length: 271 < <a href="https://sso.lab.io/dialog/authorize? client_id=abc123& redirect_uri=https%3A%2F%2Fwhoami.lab.io%2F_oauth& response_type=code& scope=%2A& state=396bd5c20d6bcfdffc2426bddf619707%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.lab.io%2F">Temporary Redirect</a>. * Connection #0 to host whoami.lab.io left intact * Closing connection 0Copy the code
As you can see, the configuration still works, the server returned a 307 redirect, and the request we sent to whoami.lab. IO was redirected to sso.lab. IO, as we expected.
Enter your account password in your browser and click Submit. You can see that you are redirected to the authorization confirmation page.
Click Permit, authorize, and wait for the authorization to complete, we can officially access the application page. Of course, there are some apps that simplify the verification process by eliminating the user confirmation dialog:
You can see that the information about authorized users is displayed in the application request headers X-Forwarded-User and Cookie. The information can be further processed or the authentication rules can be improved.
The last
At this point, Traefik basic authentication is complete, but SSO/OAUth-related content has just begun.
–EOF
I now have a small toss group, which gathered some like to toss small partners.
In the case of no advertisement, we will talk about software, HomeLab and some programming problems together, and also share some technical salon information in the group from time to time.
Like to toss small partners welcome to scan code to add friends. (Please specify source and purpose, otherwise it will not be approved)
All this stuff about getting into groups
This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license. Signature 4.0 International (CC BY 4.0)
Author: Su Yang
Creation time: on December 2nd 2020 statistical word count: 6183 words reading time: 13 minutes to read this article links: soulteary.com/2020/12/02/…