Add example local environment with traefik (#1091)

* Add example with traefik and keycloak * Switch to dex * Remove unneeded change in keycloak settings * Taken into account review comments * Add changelog entry Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-03-22 14:55:25 +01:00 · 2021-03-22 14:55:25 +01:00 · 5788bebfee
parent 7262945c6a
commit 5788bebfee
7 changed files with 145 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -36,6 +36,7 @@
 - [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)
 - [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint
 - [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware
 - [#1091](https://github.com/oauth2-proxy/oauth2-proxy/pull/1091) Add an example with Traefik (configuration without Traefik 'errors' middleware)
 # V7.0.1
--- a/contrib/local-environment/Makefile
+++ b/contrib/local-environment/Makefile
@ -38,3 +38,11 @@ kubernetes-up:
 .PHONY: kubernetes-down
 kubernetes-down:
 	make -C kubernetes delete-cluster
 .PHONY: traefik-up
 traefik-up:
 	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
 .PHONY: traefik-%
 traefik-%:
 	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*
--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@ -20,7 +20,7 @@ staticClients:
  redirectURIs:
  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
  - 'http://localhost:4180/oauth2/callback' # For basic proxy example.
-  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example.
+  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
  name: 'OAuth2 Proxy'
  secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true
--- a/contrib/local-environment/docker-compose-traefik.yaml
+++ b/contrib/local-environment/docker-compose-traefik.yaml
@ -0,0 +1,49 @@
 # This docker-compose file can be used to bring up an example instance of oauth2-proxy
 # for manual testing and exploration of features.
 # Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider,
 # HTTPBin as an example upstream.
 #
 # This can either be created using docker-compose
 #    docker-compose -f docker-compose-traefik.yaml <command>
 # Or:
 #    make traefik-<command> (eg. make traefik-up, make traefik-down)
 #
 # Access one of the following URLs to initiate a login flow:
 #    - http://oauth2-proxy.localhost
 #    - http://httpbin.oauth2-proxy.localhost
 #
 # The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost
 #
 # Note, the above URLs should work with Chrome, but you may need to add hosts
 # entries for other browsers
 #    127.0.0.1 oauth2-proxy.localhost
 #    127.0.0.1 httpbin.oauth2-proxy.localhost
 #    127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
 version: '3.0'
 services:
  oauth2-proxy:
    ports: []
    hostname: oauth2-proxy
    volumes:
      - "./oauth2-proxy-traefik.cfg:/oauth2-proxy.cfg"
    networks:
      oauth2-proxy:
  # Reverse proxy
  gateway:
    container_name: traefik
    image: traefik:2.4.2
    volumes:
      - "./traefik:/etc/traefik"
    ports:
      - "80:80"
      - "9090:8080"
    depends_on:
      - oauth2-proxy
    networks:
      oauth2-proxy:
      httpbin:
 networks:
  oauth2-proxy:
--- a/contrib/local-environment/oauth2-proxy-traefik.cfg
+++ b/contrib/local-environment/oauth2-proxy-traefik.cfg
@ -0,0 +1,22 @@
 http_address="0.0.0.0:4180"
 cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
 provider="oidc"
 email_domains=["example.com"]
 oidc_issuer_url="http://dex.localhost:4190/dex"
 client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
 client_id="oauth2-proxy"
 cookie_secure="false"
 redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
 cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
 whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.
 # Mandatory option when using oauth2-proxy with traefik
 reverse_proxy="true"
 # Required for traefik with ForwardAuth and static upstream configuration 
 upstreams="static://202"
 # The following option skip the page requesting the user
 # to click on a button to be redirected to the identity provider
 # It can be activated only when traefik is not configure with
 # the error redirection middleware as this example.
 skip_provider_button="true"
--- a/contrib/local-environment/traefik/dynamic.yaml
+++ b/contrib/local-environment/traefik/dynamic.yaml
@ -0,0 +1,57 @@
 http:
  routers:
    oauth2-proxy-route:
      rule: "Host(`oauth2-proxy.oauth2-proxy.localhost`)"
      middlewares:
        - auth-headers
      service: oauth-backend
    httpbin-route:
      rule: "Host(`httpbin.oauth2-proxy.localhost`)"
      service: httpbin-service
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin    
    httpbin-route-2:
      rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/no-auto-redirect`)"
      service: httpbin-service
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
    services-oauth2-route:
      rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
  services:
    httpbin-service:
      loadBalancer:
        servers:
          - url: http://httpbin
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://oauth2-proxy:4180
  middlewares:
    auth-headers:
      headers:
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: http://oauth2-proxy:4180
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: http://oauth2-proxy:4180/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
--- a/contrib/local-environment/traefik/traefik.yaml
+++ b/contrib/local-environment/traefik/traefik.yaml
@ -0,0 +1,7 @@
 api:
  insecure: true
 log:
  level: INFO
 providers:
  file:
    filename: /etc/traefik/dynamic.yaml