Add example local environment with traefik (#1091)
* Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
parent
7262945c6a
commit
5788bebfee
@ -36,6 +36,7 @@
|
|||||||
- [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)
|
- [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)
|
||||||
- [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint
|
- [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint
|
||||||
- [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware
|
- [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware
|
||||||
|
- [#1091](https://github.com/oauth2-proxy/oauth2-proxy/pull/1091) Add an example with Traefik (configuration without Traefik 'errors' middleware)
|
||||||
|
|
||||||
# V7.0.1
|
# V7.0.1
|
||||||
|
|
||||||
|
@ -38,3 +38,11 @@ kubernetes-up:
|
|||||||
.PHONY: kubernetes-down
|
.PHONY: kubernetes-down
|
||||||
kubernetes-down:
|
kubernetes-down:
|
||||||
make -C kubernetes delete-cluster
|
make -C kubernetes delete-cluster
|
||||||
|
|
||||||
|
.PHONY: traefik-up
|
||||||
|
traefik-up:
|
||||||
|
docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
|
||||||
|
|
||||||
|
.PHONY: traefik-%
|
||||||
|
traefik-%:
|
||||||
|
docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*
|
||||||
|
@ -20,7 +20,7 @@ staticClients:
|
|||||||
redirectURIs:
|
redirectURIs:
|
||||||
# These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
|
# These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
|
||||||
- 'http://localhost:4180/oauth2/callback' # For basic proxy example.
|
- 'http://localhost:4180/oauth2/callback' # For basic proxy example.
|
||||||
- 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
|
- 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
|
||||||
name: 'OAuth2 Proxy'
|
name: 'OAuth2 Proxy'
|
||||||
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
|
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
|
||||||
enablePasswordDB: true
|
enablePasswordDB: true
|
||||||
|
49
contrib/local-environment/docker-compose-traefik.yaml
Normal file
49
contrib/local-environment/docker-compose-traefik.yaml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# This docker-compose file can be used to bring up an example instance of oauth2-proxy
|
||||||
|
# for manual testing and exploration of features.
|
||||||
|
# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
|
||||||
|
# HTTPBin as an example upstream.
|
||||||
|
#
|
||||||
|
# This can either be created using docker-compose
|
||||||
|
# docker-compose -f docker-compose-traefik.yaml <command>
|
||||||
|
# Or:
|
||||||
|
# make traefik-<command> (eg. make traefik-up, make traefik-down)
|
||||||
|
#
|
||||||
|
# Access one of the following URLs to initiate a login flow:
|
||||||
|
# - http://oauth2-proxy.localhost
|
||||||
|
# - http://httpbin.oauth2-proxy.localhost
|
||||||
|
#
|
||||||
|
# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
|
||||||
|
#
|
||||||
|
# Note, the above URLs should work with Chrome, but you may need to add hosts
|
||||||
|
# entries for other browsers
|
||||||
|
# 127.0.0.1 oauth2-proxy.localhost
|
||||||
|
# 127.0.0.1 httpbin.oauth2-proxy.localhost
|
||||||
|
# 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
|
||||||
|
version: '3.0'
|
||||||
|
services:
|
||||||
|
|
||||||
|
oauth2-proxy:
|
||||||
|
ports: []
|
||||||
|
hostname: oauth2-proxy
|
||||||
|
volumes:
|
||||||
|
- "./oauth2-proxy-traefik.cfg:/oauth2-proxy.cfg"
|
||||||
|
networks:
|
||||||
|
oauth2-proxy:
|
||||||
|
|
||||||
|
# Reverse proxy
|
||||||
|
gateway:
|
||||||
|
container_name: traefik
|
||||||
|
image: traefik:2.4.2
|
||||||
|
volumes:
|
||||||
|
- "./traefik:/etc/traefik"
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "9090:8080"
|
||||||
|
depends_on:
|
||||||
|
- oauth2-proxy
|
||||||
|
networks:
|
||||||
|
oauth2-proxy:
|
||||||
|
httpbin:
|
||||||
|
|
||||||
|
networks:
|
||||||
|
oauth2-proxy:
|
22
contrib/local-environment/oauth2-proxy-traefik.cfg
Normal file
22
contrib/local-environment/oauth2-proxy-traefik.cfg
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
http_address="0.0.0.0:4180"
|
||||||
|
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
|
||||||
|
provider="oidc"
|
||||||
|
email_domains=["example.com"]
|
||||||
|
oidc_issuer_url="http://dex.localhost:4190/dex"
|
||||||
|
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
|
||||||
|
client_id="oauth2-proxy"
|
||||||
|
cookie_secure="false"
|
||||||
|
|
||||||
|
redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
|
||||||
|
cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
|
||||||
|
whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
|
||||||
|
|
||||||
|
# Mandatory option when using oauth2-proxy with traefik
|
||||||
|
reverse_proxy="true"
|
||||||
|
# Required for traefik with ForwardAuth and static upstream configuration
|
||||||
|
upstreams="static://202"
|
||||||
|
# The following option skip the page requesting the user
|
||||||
|
# to click on a button to be redirected to the identity provider
|
||||||
|
# It can be activated only when traefik is not configure with
|
||||||
|
# the error redirection middleware as this example.
|
||||||
|
skip_provider_button="true"
|
57
contrib/local-environment/traefik/dynamic.yaml
Normal file
57
contrib/local-environment/traefik/dynamic.yaml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
oauth2-proxy-route:
|
||||||
|
rule: "Host(`oauth2-proxy.oauth2-proxy.localhost`)"
|
||||||
|
middlewares:
|
||||||
|
- auth-headers
|
||||||
|
service: oauth-backend
|
||||||
|
httpbin-route:
|
||||||
|
rule: "Host(`httpbin.oauth2-proxy.localhost`)"
|
||||||
|
service: httpbin-service
|
||||||
|
middlewares:
|
||||||
|
- oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
|
||||||
|
httpbin-route-2:
|
||||||
|
rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/no-auto-redirect`)"
|
||||||
|
service: httpbin-service
|
||||||
|
middlewares:
|
||||||
|
- oauth-auth-wo-redirect # unauthenticated session will return a 401
|
||||||
|
services-oauth2-route:
|
||||||
|
rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/oauth2/`)"
|
||||||
|
middlewares:
|
||||||
|
- auth-headers
|
||||||
|
service: oauth-backend
|
||||||
|
|
||||||
|
services:
|
||||||
|
httpbin-service:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: http://httpbin
|
||||||
|
oauth-backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: http://oauth2-proxy:4180
|
||||||
|
|
||||||
|
middlewares:
|
||||||
|
auth-headers:
|
||||||
|
headers:
|
||||||
|
stsSeconds: 315360000
|
||||||
|
browserXssFilter: true
|
||||||
|
contentTypeNosniff: true
|
||||||
|
forceSTSHeader: true
|
||||||
|
stsIncludeSubdomains: true
|
||||||
|
stsPreload: true
|
||||||
|
frameDeny: true
|
||||||
|
oauth-auth-redirect:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://oauth2-proxy:4180
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Auth-Request-Access-Token
|
||||||
|
- Authorization
|
||||||
|
oauth-auth-wo-redirect:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://oauth2-proxy:4180/oauth2/auth
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Auth-Request-Access-Token
|
||||||
|
- Authorization
|
7
contrib/local-environment/traefik/traefik.yaml
Normal file
7
contrib/local-environment/traefik/traefik.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
api:
|
||||||
|
insecure: true
|
||||||
|
log:
|
||||||
|
level: INFO
|
||||||
|
providers:
|
||||||
|
file:
|
||||||
|
filename: /etc/traefik/dynamic.yaml
|
Loading…
Reference in New Issue
Block a user