docs(TraefikForwardAuth): helmify docs (#32974)
**Description** <!-- helmify docs --> ⚒️ Fixes # <!--(issue)--> **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code - [x] 📜 Documentation Changes **🧪 How Has This Been Tested?** <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> **📃 Notes:** <!-- Please enter any other relevant information here --> **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [ ] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [x] 📄 I have made changes to the documentation - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning - [x] I made sure the title starts with `feat(chart-name):`, `fix(chart-name):`, `chore(chart-name):`, `docs(chart-name):` or `fix(docs):` **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com> Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
@@ -5,80 +5,139 @@ description: A How To Guide for Traefik Forward Auth
|
||||
|
||||
:::note
|
||||
|
||||
We highly recommend to setup [authelia](/charts/premium/authelia/setup-guide) instead.
|
||||
We highly recommend to setup [authelia](/charts/premium/authelia/setup-guide)) instead.
|
||||
|
||||
:::
|
||||
|
||||
This app makes it possible to have a layer of security in front of your publicly exposed apps.
|
||||
This chart makes it possible to have a layer of security in front of your publicly exposed charts.
|
||||
It supports Google, OIDC, and generic OAuth2.
|
||||
Please read the [GitHub README of the original project](https://github.com/thomseddon/traefik-forward-auth) for your
|
||||
authentication options.
|
||||
|
||||
:::note
|
||||
|
||||
generally, phone apps do not support redirection during their authentication flow, so this middleware is more suitable for
|
||||
Generally, phone apps do not support redirection during their authentication flow, so this middleware is more suitable for
|
||||
protecting portals that you would access through a browser.
|
||||
|
||||
:::
|
||||
|
||||
## A standard setup (auth host mode)
|
||||
|
||||
This method will add a middleware to the traefik instance with Google authentication which then you can apply on any apps
|
||||
This method will add a middleware to the traefik instance with Google authentication which then you can apply on any charts
|
||||
with either subdomain or path prefix Ingress rules.
|
||||
The example domain will be `https://example.com` which should be substituted to your externally accessible domain name.
|
||||
|
||||
### Setting up traefik-forward-auth
|
||||
Follow this steps [here](https://github.com/thomseddon/traefik-forward-auth#google) to setup Google developer console.
|
||||
Assuming you have set up the `Client ID for Web application` in the Google developer console and set the `Authorized redirect URIs` to
|
||||
`https://auth.example.com/_oauth`, start deploying traefik-forward-auth.
|
||||
|
||||
Assuming you have set up the `Client ID for Web application` in the developer console and set the `Authorized redirect URIs` to
|
||||
`https://auth.example.com/_oauth`, start installing traefik-forward-auth:
|
||||
Most important details to configure:
|
||||
- Setup ingress to `auth.example.com`
|
||||
- Set a `secret` (it's mandatory, but can be any string of your choosing).
|
||||
- Set `authHost` to `auth.example.com`.
|
||||
- Add your email to `whitelist` as array.
|
||||
- Add your root domain to `cookieDomain`
|
||||
- Set the `clientId` and `clientSecret` to the ones presented on the developer console.
|
||||
- `prompt` needs to be set empty.
|
||||
- As it is a stateless program, it doesn't need any special permissions or storage.
|
||||
|
||||
- Set a `Secret` (it's mandatory, but can be any string of your choosing).
|
||||
- Set `Auth host` to `auth.example.com`.
|
||||
- Add your email to `Whitelist`.
|
||||
```yaml
|
||||
// values.yaml
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
hosts:
|
||||
- host: auth.${DOMAIN}
|
||||
integrations:
|
||||
traefik:
|
||||
enabled: true
|
||||
certManager:
|
||||
enabled: true
|
||||
certificateIssuer: cloudflare
|
||||
|
||||

|
||||
tfaAppOptions:
|
||||
secret: something-random
|
||||
|
||||
- Add your root domain to `Cookie options`.
|
||||
tfaAuthOptions:
|
||||
authHost: auth.${DOMAIN}
|
||||
urlPath: /_oauth
|
||||
defaultAction: auth
|
||||
defaultProvider: google
|
||||
whitelist:
|
||||
- ${EMAIL1}
|
||||
- ${EMAIL2}
|
||||
- ${EMAIL3}
|
||||
|
||||

|
||||
tfaCookieOptions:
|
||||
cookieDomain:
|
||||
- ${DOMAIN}
|
||||
|
||||
- Set the `Client ID` and `Client Secret` to the ones presented on the developer console. `Prompt` can be left empty.
|
||||
|
||||

|
||||
|
||||
- Set up Ingress for the app as `auth.example.com` as usual.
|
||||
- That's it, since this is a stateless program, it doesn't need any special permissions or storage.
|
||||
tfaGoogleOptions:
|
||||
clientId: ${GOOGLE_CLIENTID}
|
||||
clientSecret: ${GOOGLE_SECRET}
|
||||
prompt: ""
|
||||
```
|
||||
<br>
|
||||
|
||||
### Creating the middleware on traefik
|
||||
|
||||
The traefik instance has to be made aware of the forward authentication. Edit your traefik installation:
|
||||
The traefik instance has to be made aware of the forward authentication. Edit in traefik configuration:
|
||||
|
||||
- Go to `websecure` entrypoint and enable `Accept forwarded headers`.
|
||||
- Add to `websecure` entrypoint and enable `Accept forwarded headers`.
|
||||
- Add your default gateway (internal router IP) to `Trusted IPs` if using hairpin NAT. If you are using DNS override for your
|
||||
domain name, you can probably skip this step.
|
||||
domain name, you can probably skip this part.
|
||||
|
||||

|
||||
```yaml
|
||||
service:
|
||||
tcp:
|
||||
loadBalancerIP: ${IP_TRAEFIK}
|
||||
ports:
|
||||
websecure:
|
||||
forwardedHeaders:
|
||||
enabled: true
|
||||
trustedIPs:
|
||||
- 192.168.1.1
|
||||
```
|
||||
|
||||
- Go to `Middlewares` and add a `forward-auth` one.
|
||||
- Name it (use a short one if planning to add to many apps).
|
||||
- Add `https://auth.example.com/_oauth` as address. This will redirect initial requests to the traefik-forward-auth container.
|
||||
- Check `trustForwardHeader`.
|
||||
- Add `X-Forwarded-User` to `authResponseHeaders`.
|
||||
- Add the correct middleware
|
||||
|
||||

|
||||
```yaml
|
||||
middlewares:
|
||||
forwardAuth:
|
||||
- name: auth
|
||||
address: http://traefik-forward-auth.traefik-forward-auth:4181/_oauth
|
||||
authResponseHeaders:
|
||||
- X-Forwarded-User
|
||||
trustForwardHeader: true
|
||||
```
|
||||
|
||||
### Applying the middleware on apps
|
||||
### Applying the middleware on charts
|
||||
|
||||
To actually use the forward authentication, you have to add it to either a chain or by itself to existing app Ingresses.
|
||||
To actually use the forward authentication, you have to add it to either a chain or by itself to existing charts Ingresses.
|
||||
|
||||

|
||||
```yaml
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
hosts:
|
||||
- host: chart.${DOMAIN}
|
||||
integrations:
|
||||
traefik:
|
||||
enabled: true
|
||||
middlewares:
|
||||
- name: auth
|
||||
namespace: traefik
|
||||
```
|
||||
|
||||
### Per-app whitelist
|
||||
### Per-chart whitelist
|
||||
|
||||
In case you need per-app whitelists, you have two options: set up multiple instances of traefik-forward-auth (cumbersome) or
|
||||
In case you need per-chart whitelists, you have two options: set up multiple instances of traefik-forward-auth (cumbersome) or
|
||||
use custom rules. Consult the readme of the original project how to set them.
|
||||
|
||||
### Testing
|
||||
|
||||
Opening your URL should result in being redirected to Google authentication. Subsequent checks if the auth is working can be
|
||||
made by opening an incognito window.
|
||||
|
||||

|
||||
|
||||
|
Before Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 8.0 KiB |
|
Before Width: | Height: | Size: 9.1 KiB |
|
Before Width: | Height: | Size: 5.3 KiB |
|
After Width: | Height: | Size: 20 KiB |
|
Before Width: | Height: | Size: 11 KiB |
|
Before Width: | Height: | Size: 28 KiB |