Add example local environment with traefik (#1091)

* Add example with traefik and keycloak

* Switch to dex

* Remove unneeded change in keycloak settings

* Taken into account review comments

* Add changelog entry

Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Frédéric Collonval 2021-03-22 14:55:25 +01:00 committed by GitHub
parent 7262945c6a
commit 5788bebfee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 145 additions and 1 deletions

View File

@ -36,6 +36,7 @@
- [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed) - [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)
- [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint - [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint
- [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware - [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware
- [#1091](https://github.com/oauth2-proxy/oauth2-proxy/pull/1091) Add an example with Traefik (configuration without Traefik 'errors' middleware)
# V7.0.1 # V7.0.1

View File

@ -38,3 +38,11 @@ kubernetes-up:
.PHONY: kubernetes-down .PHONY: kubernetes-down
kubernetes-down: kubernetes-down:
make -C kubernetes delete-cluster make -C kubernetes delete-cluster
.PHONY: traefik-up
traefik-up:
docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
.PHONY: traefik-%
traefik-%:
docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*

View File

@ -20,7 +20,7 @@ staticClients:
redirectURIs: redirectURIs:
# These redirect URIs point to the `--redirect-url` for OAuth2 proxy. # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
- 'http://localhost:4180/oauth2/callback' # For basic proxy example. - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
- 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example. - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
name: 'OAuth2 Proxy' name: 'OAuth2 Proxy'
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
enablePasswordDB: true enablePasswordDB: true

View File

@ -0,0 +1,49 @@
# This docker-compose file can be used to bring up an example instance of oauth2-proxy
# for manual testing and exploration of features.
# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
# HTTPBin as an example upstream.
#
# This can either be created using docker-compose
# docker-compose -f docker-compose-traefik.yaml <command>
# Or:
# make traefik-<command> (eg. make traefik-up, make traefik-down)
#
# Access one of the following URLs to initiate a login flow:
# - http://oauth2-proxy.localhost
# - http://httpbin.oauth2-proxy.localhost
#
# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
#
# Note, the above URLs should work with Chrome, but you may need to add hosts
# entries for other browsers
# 127.0.0.1 oauth2-proxy.localhost
# 127.0.0.1 httpbin.oauth2-proxy.localhost
# 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
version: '3.0'
services:
oauth2-proxy:
ports: []
hostname: oauth2-proxy
volumes:
- "./oauth2-proxy-traefik.cfg:/oauth2-proxy.cfg"
networks:
oauth2-proxy:
# Reverse proxy
gateway:
container_name: traefik
image: traefik:2.4.2
volumes:
- "./traefik:/etc/traefik"
ports:
- "80:80"
- "9090:8080"
depends_on:
- oauth2-proxy
networks:
oauth2-proxy:
httpbin:
networks:
oauth2-proxy:

View File

@ -0,0 +1,22 @@
http_address="0.0.0.0:4180"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
provider="oidc"
email_domains=["example.com"]
oidc_issuer_url="http://dex.localhost:4190/dex"
client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
client_id="oauth2-proxy"
cookie_secure="false"
redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
# Mandatory option when using oauth2-proxy with traefik
reverse_proxy="true"
# Required for traefik with ForwardAuth and static upstream configuration
upstreams="static://202"
# The following option skip the page requesting the user
# to click on a button to be redirected to the identity provider
# It can be activated only when traefik is not configure with
# the error redirection middleware as this example.
skip_provider_button="true"

View File

@ -0,0 +1,57 @@
http:
routers:
oauth2-proxy-route:
rule: "Host(`oauth2-proxy.oauth2-proxy.localhost`)"
middlewares:
- auth-headers
service: oauth-backend
httpbin-route:
rule: "Host(`httpbin.oauth2-proxy.localhost`)"
service: httpbin-service
middlewares:
- oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
httpbin-route-2:
rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/no-auto-redirect`)"
service: httpbin-service
middlewares:
- oauth-auth-wo-redirect # unauthenticated session will return a 401
services-oauth2-route:
rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/oauth2/`)"
middlewares:
- auth-headers
service: oauth-backend
services:
httpbin-service:
loadBalancer:
servers:
- url: http://httpbin
oauth-backend:
loadBalancer:
servers:
- url: http://oauth2-proxy:4180
middlewares:
auth-headers:
headers:
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
oauth-auth-redirect:
forwardAuth:
address: http://oauth2-proxy:4180
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
oauth-auth-wo-redirect:
forwardAuth:
address: http://oauth2-proxy:4180/oauth2/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization

View File

@ -0,0 +1,7 @@
api:
insecure: true
log:
level: INFO
providers:
file:
filename: /etc/traefik/dynamic.yaml