diff --git a/CHANGELOG.md b/CHANGELOG.md index ed10aab8..3c0efcb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ - [#1039](https://github.com/oauth2-proxy/oauth2-proxy/pull/1039) Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed) - [#980](https://github.com/oauth2-proxy/oauth2-proxy/pull/980) Add Prometheus metrics endpoint - [#1023](https://github.com/oauth2-proxy/oauth2-proxy/pull/1023) Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware +- [#1091](https://github.com/oauth2-proxy/oauth2-proxy/pull/1091) Add an example with Traefik (configuration without Traefik 'errors' middleware) # V7.0.1 diff --git a/contrib/local-environment/Makefile b/contrib/local-environment/Makefile index 46d50c85..db335d8d 100644 --- a/contrib/local-environment/Makefile +++ b/contrib/local-environment/Makefile @@ -38,3 +38,11 @@ kubernetes-up: .PHONY: kubernetes-down kubernetes-down: make -C kubernetes delete-cluster + +.PHONY: traefik-up +traefik-up: + docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d + +.PHONY: traefik-% +traefik-%: + docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $* diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml index 40a8bed0..ae687e05 100644 --- a/contrib/local-environment/dex.yaml +++ b/contrib/local-environment/dex.yaml @@ -20,7 +20,7 @@ staticClients: redirectURIs: # These redirect URIs point to the `--redirect-url` for OAuth2 proxy. - 'http://localhost:4180/oauth2/callback' # For basic proxy example. - - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx example. + - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example. name: 'OAuth2 Proxy' secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK enablePasswordDB: true diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml new file mode 100644 index 00000000..c69e01ad --- /dev/null +++ b/contrib/local-environment/docker-compose-traefik.yaml @@ -0,0 +1,49 @@ +# This docker-compose file can be used to bring up an example instance of oauth2-proxy +# for manual testing and exploration of features. +# Alongside OAuth2-Proxy, this file also starts Dex to act as the identity provider, +# HTTPBin as an example upstream. +# +# This can either be created using docker-compose +# docker-compose -f docker-compose-traefik.yaml +# Or: +# make traefik- (eg. make traefik-up, make traefik-down) +# +# Access one of the following URLs to initiate a login flow: +# - http://oauth2-proxy.localhost +# - http://httpbin.oauth2-proxy.localhost +# +# The OAuth2 Proxy itself is hosted at http://oauth2-proxy.oauth2-proxy.localhost +# +# Note, the above URLs should work with Chrome, but you may need to add hosts +# entries for other browsers +# 127.0.0.1 oauth2-proxy.localhost +# 127.0.0.1 httpbin.oauth2-proxy.localhost +# 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost +version: '3.0' +services: + + oauth2-proxy: + ports: [] + hostname: oauth2-proxy + volumes: + - "./oauth2-proxy-traefik.cfg:/oauth2-proxy.cfg" + networks: + oauth2-proxy: + + # Reverse proxy + gateway: + container_name: traefik + image: traefik:2.4.2 + volumes: + - "./traefik:/etc/traefik" + ports: + - "80:80" + - "9090:8080" + depends_on: + - oauth2-proxy + networks: + oauth2-proxy: + httpbin: + +networks: + oauth2-proxy: diff --git a/contrib/local-environment/oauth2-proxy-traefik.cfg b/contrib/local-environment/oauth2-proxy-traefik.cfg new file mode 100644 index 00000000..6357c383 --- /dev/null +++ b/contrib/local-environment/oauth2-proxy-traefik.cfg @@ -0,0 +1,22 @@ +http_address="0.0.0.0:4180" +cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" +provider="oidc" +email_domains=["example.com"] +oidc_issuer_url="http://dex.localhost:4190/dex" +client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK" +client_id="oauth2-proxy" +cookie_secure="false" + +redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" +cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains. +whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target. + +# Mandatory option when using oauth2-proxy with traefik +reverse_proxy="true" +# Required for traefik with ForwardAuth and static upstream configuration +upstreams="static://202" +# The following option skip the page requesting the user +# to click on a button to be redirected to the identity provider +# It can be activated only when traefik is not configure with +# the error redirection middleware as this example. +skip_provider_button="true" diff --git a/contrib/local-environment/traefik/dynamic.yaml b/contrib/local-environment/traefik/dynamic.yaml new file mode 100644 index 00000000..e5d47df3 --- /dev/null +++ b/contrib/local-environment/traefik/dynamic.yaml @@ -0,0 +1,57 @@ +http: + routers: + oauth2-proxy-route: + rule: "Host(`oauth2-proxy.oauth2-proxy.localhost`)" + middlewares: + - auth-headers + service: oauth-backend + httpbin-route: + rule: "Host(`httpbin.oauth2-proxy.localhost`)" + service: httpbin-service + middlewares: + - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin + httpbin-route-2: + rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/no-auto-redirect`)" + service: httpbin-service + middlewares: + - oauth-auth-wo-redirect # unauthenticated session will return a 401 + services-oauth2-route: + rule: "Host(`httpbin.oauth2-proxy.localhost`) && PathPrefix(`/oauth2/`)" + middlewares: + - auth-headers + service: oauth-backend + + services: + httpbin-service: + loadBalancer: + servers: + - url: http://httpbin + oauth-backend: + loadBalancer: + servers: + - url: http://oauth2-proxy:4180 + + middlewares: + auth-headers: + headers: + stsSeconds: 315360000 + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + frameDeny: true + oauth-auth-redirect: + forwardAuth: + address: http://oauth2-proxy:4180 + trustForwardHeader: true + authResponseHeaders: + - X-Auth-Request-Access-Token + - Authorization + oauth-auth-wo-redirect: + forwardAuth: + address: http://oauth2-proxy:4180/oauth2/auth + trustForwardHeader: true + authResponseHeaders: + - X-Auth-Request-Access-Token + - Authorization diff --git a/contrib/local-environment/traefik/traefik.yaml b/contrib/local-environment/traefik/traefik.yaml new file mode 100644 index 00000000..3dd00832 --- /dev/null +++ b/contrib/local-environment/traefik/traefik.yaml @@ -0,0 +1,7 @@ +api: + insecure: true +log: + level: INFO +providers: + file: + filename: /etc/traefik/dynamic.yaml