Add example local environment with traefik (#1091)

* Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-03-22 14:55:25 +01:00 · 2021-03-22 14:55:25 +01:00 · 5788bebfee
commit 5788bebfee
parent 7262945c6a
7 changed files with 145 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -36,6 +36,7 @@
 - [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)
 - [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint
 - [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware
+- [#1091](https://github.com/oauth2-proxy/oauth2-proxy/pull/1091) Add an example with Traefik (configuration without Traefik 'errors' middleware)

 # V7.0.1

--- a/contrib/local-environment/Makefile
+++ b/contrib/local-environment/Makefile
@ -38,3 +38,11 @@ kubernetes-up:
 .PHONY: kubernetes-down
 kubernetes-down:
 	make -C kubernetes delete-cluster
+
+.PHONY: traefik-up
+traefik-up:
+	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
+
+.PHONY: traefik-%
+traefik-%:
+	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*
--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@ -20,7 +20,7 @@ staticClients:
  redirectURIs:
  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
  - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
-  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
+  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
  name: 'OAuth2 Proxy'
  secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true
--- a/contrib/local-environment/docker-compose-traefik.yaml
+++ b/contrib/local-environment/docker-compose-traefik.yaml
@ -0,0 +1,49 @@
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
+# HTTPBin as an example upstream.
+#
+# This can either be created using docker-compose
+#    docker-compose -f docker-compose-traefik.yaml <command>
+# Or:
+#    make traefik-<command> (eg. make traefik-up, make traefik-down)
+#
+# Access one of the following URLs to initiate a login flow:
+#    - http://oauth2-proxy.localhost
+#    - http://httpbin.oauth2-proxy.localhost
+#
+# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
+#
+# Note, the above URLs should work with Chrome, but you may need to add hosts
+# entries for other browsers
+#    127.0.0.1 oauth2-proxy.localhost
+#    127.0.0.1 httpbin.oauth2-proxy.localhost
+#    127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
+version: '3.0'
+services:
+
+  oauth2-proxy:
+    ports: []
+    hostname: oauth2-proxy
+    volumes:
+      - "./oauth2-proxy-traefik.cfg:/oauth2-proxy.cfg"
+    networks:
+      oauth2-proxy:
+
+  # Reverse proxy
+  gateway:
+    container_name: traefik
+    image: traefik:2.4.2
+    volumes:
+      - "./traefik:/etc/traefik"
+    ports:
+      - "80:80"
+      - "9090:8080"
+    depends_on:
+      - oauth2-proxy
+    networks:
+      oauth2-proxy:
+      httpbin:
+
+networks:
+  oauth2-proxy:
--- a/contrib/local-environment/oauth2-proxy-traefik.cfg
+++ b/contrib/local-environment/oauth2-proxy-traefik.cfg
@ -0,0 +1,22 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+provider="oidc"
+email_domains=["example.com"]
+oidc_issuer_url="http://dex.localhost:4190/dex"
+client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+client_id="oauth2-proxy"
+cookie_secure="false"
+
+redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
+cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
+whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
+
+# Mandatory option when using oauth2-proxy with traefik
+reverse_proxy="true"
+# Required for traefik with ForwardAuth and static upstream configuration 
+upstreams="static://202"
+# The following option skip the page requesting the user
+# to click on a button to be redirected to the identity provider
+# It can be activated only when traefik is not configure with
+# the error redirection middleware as this example.
+skip_provider_button="true"
--- a/contrib/local-environment/traefik/dynamic.yaml
+++ b/contrib/local-environment/traefik/dynamic.yaml
@ -0,0 +1,57 @@
+http:
+  routers:
+    oauth2-proxy-route:
+      rule: "Host(`oauth2-proxy.oauth2-proxy.localhost`)"
+      middlewares:
+        - auth-headers
+      service: oauth-backend
+    httpbin-route:
+      rule: "Host(`httpbin.oauth2-proxy.localhost`)"
+      service: httpbin-service
+      middlewares:
+        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin    
+    httpbin-route-2:
+      rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/no-auto-redirect`)"
+      service: httpbin-service
+      middlewares:
+        - oauth-auth-wo-redirect # unauthenticated session will return a 401
+    services-oauth2-route:
+      rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/oauth2/`)"
+      middlewares:
+        - auth-headers
+      service: oauth-backend
+
+  services:
+    httpbin-service:
+      loadBalancer:
+        servers:
+          - url: http://httpbin
+    oauth-backend:
+      loadBalancer:
+        servers:
+          - url: http://oauth2-proxy:4180
+
+  middlewares:
+    auth-headers:
+      headers:
+        stsSeconds: 315360000
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        frameDeny: true
+    oauth-auth-redirect:
+      forwardAuth:
+        address: http://oauth2-proxy:4180
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Auth-Request-Access-Token
+          - Authorization
+    oauth-auth-wo-redirect:
+      forwardAuth:
+        address: http://oauth2-proxy:4180/oauth2/auth
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Auth-Request-Access-Token
+          - Authorization
--- a/contrib/local-environment/traefik/traefik.yaml
+++ b/contrib/local-environment/traefik/traefik.yaml
@ -0,0 +1,7 @@
+api:
+  insecure: true
+log:
+  level: INFO
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yaml