docs(TraefikForwardAuth): helmify docs (#32974)

**Description**
<!--
helmify docs
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code
- [x] 📜 Documentation Changes

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [x] 📄 I have made changes to the documentation
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning
- [x] I made sure the title starts with `feat(chart-name):`,
`fix(chart-name):`, `chore(chart-name):`, `docs(chart-name):` or
`fix(docs):`

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
This commit is contained in:
Boemeltrein
2025-03-07 14:04:41 +01:00
committed by GitHub
parent 8022bebfb9
commit fe12d85a1c
8 changed files with 92 additions and 33 deletions
@@ -5,80 +5,139 @@ description: A How To Guide for Traefik Forward Auth
:::note
We highly recommend to setup [authelia](/charts/premium/authelia/setup-guide) instead.
We highly recommend to setup [authelia](/charts/premium/authelia/setup-guide)) instead.
:::
This app makes it possible to have a layer of security in front of your publicly exposed apps.
This chart makes it possible to have a layer of security in front of your publicly exposed charts.
It supports Google, OIDC, and generic OAuth2.
Please read the [GitHub README of the original project](https://github.com/thomseddon/traefik-forward-auth) for your
authentication options.
:::note
generally, phone apps do not support redirection during their authentication flow, so this middleware is more suitable for
Generally, phone apps do not support redirection during their authentication flow, so this middleware is more suitable for
protecting portals that you would access through a browser.
:::
## A standard setup (auth host mode)
This method will add a middleware to the traefik instance with Google authentication which then you can apply on any apps
This method will add a middleware to the traefik instance with Google authentication which then you can apply on any charts
with either subdomain or path prefix Ingress rules.
The example domain will be `https://example.com` which should be substituted to your externally accessible domain name.
### Setting up traefik-forward-auth
Follow this steps [here](https://github.com/thomseddon/traefik-forward-auth#google) to setup Google developer console.
Assuming you have set up the `Client ID for Web application` in the Google developer console and set the `Authorized redirect URIs` to
`https://auth.example.com/_oauth`, start deploying traefik-forward-auth.
Assuming you have set up the `Client ID for Web application` in the developer console and set the `Authorized redirect URIs` to
`https://auth.example.com/_oauth`, start installing traefik-forward-auth:
Most important details to configure:
- Setup ingress to `auth.example.com`
- Set a `secret` (it's mandatory, but can be any string of your choosing).
- Set `authHost` to `auth.example.com`.
- Add your email to `whitelist` as array.
- Add your root domain to `cookieDomain`
- Set the `clientId` and `clientSecret` to the ones presented on the developer console.
- `prompt` needs to be set empty.
- As it is a stateless program, it doesn't need any special permissions or storage.
- Set a `Secret` (it's mandatory, but can be any string of your choosing).
- Set `Auth host` to `auth.example.com`.
- Add your email to `Whitelist`.
```yaml
// values.yaml
ingress:
main:
enabled: true
hosts:
- host: auth.${DOMAIN}
integrations:
traefik:
enabled: true
certManager:
enabled: true
certificateIssuer: cloudflare
![auth-options](./img/auth-options.png)
tfaAppOptions:
secret: something-random
- Add your root domain to `Cookie options`.
tfaAuthOptions:
authHost: auth.${DOMAIN}
urlPath: /_oauth
defaultAction: auth
defaultProvider: google
whitelist:
- ${EMAIL1}
- ${EMAIL2}
- ${EMAIL3}
![cookie-options](./img/cookie-options.png)
tfaCookieOptions:
cookieDomain:
- ${DOMAIN}
- Set the `Client ID` and `Client Secret` to the ones presented on the developer console. `Prompt` can be left empty.
![google-options](./img/google-options.png)
- Set up Ingress for the app as `auth.example.com` as usual.
- That's it, since this is a stateless program, it doesn't need any special permissions or storage.
tfaGoogleOptions:
clientId: ${GOOGLE_CLIENTID}
clientSecret: ${GOOGLE_SECRET}
prompt: ""
```
<br>
### Creating the middleware on traefik
The traefik instance has to be made aware of the forward authentication. Edit your traefik installation:
The traefik instance has to be made aware of the forward authentication. Edit in traefik configuration:
- Go to `websecure` entrypoint and enable `Accept forwarded headers`.
- Add to `websecure` entrypoint and enable `Accept forwarded headers`.
- Add your default gateway (internal router IP) to `Trusted IPs` if using hairpin NAT. If you are using DNS override for your
domain name, you can probably skip this step.
domain name, you can probably skip this part.
![traefik-forwarded-headers](./img/traefik-forwarded-headers.png)
```yaml
service:
tcp:
loadBalancerIP: ${IP_TRAEFIK}
ports:
websecure:
forwardedHeaders:
enabled: true
trustedIPs:
- 192.168.1.1
```
- Go to `Middlewares` and add a `forward-auth` one.
- Name it (use a short one if planning to add to many apps).
- Add `https://auth.example.com/_oauth` as address. This will redirect initial requests to the traefik-forward-auth container.
- Check `trustForwardHeader`.
- Add `X-Forwarded-User` to `authResponseHeaders`.
- Add the correct middleware
![traefik-middleware](./img/traefik-middleware.png)
```yaml
middlewares:
forwardAuth:
- name: auth
address: http://traefik-forward-auth.traefik-forward-auth:4181/_oauth
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true
```
### Applying the middleware on apps
### Applying the middleware on charts
To actually use the forward authentication, you have to add it to either a chain or by itself to existing app Ingresses.
To actually use the forward authentication, you have to add it to either a chain or by itself to existing charts Ingresses.
![ingress-middleware](./img/ingress-middleware.png)
```yaml
ingress:
main:
enabled: true
hosts:
- host: chart.${DOMAIN}
integrations:
traefik:
enabled: true
middlewares:
- name: auth
namespace: traefik
```
### Per-app whitelist
### Per-chart whitelist
In case you need per-app whitelists, you have two options: set up multiple instances of traefik-forward-auth (cumbersome) or
In case you need per-chart whitelists, you have two options: set up multiple instances of traefik-forward-auth (cumbersome) or
use custom rules. Consult the readme of the original project how to set them.
### Testing
Opening your URL should result in being redirected to Google authentication. Subsequent checks if the auth is working can be
made by opening an incognito window.
![signin](./img/sign_in.png)
Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8.0 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 9.1 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 5.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB