techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
8dcb8c4e29
authelia/docs/deployment/supported-proxies/traefik2.x.md
ThinkChaos ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify (#1563) 
* [FEATURE] Add auth query param to /api/verify (#1353)

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00

157 lines
5.3 KiB
Markdown
Raw Blame History

---
layout: default
title: Traefik 2.x
parent: Proxy Integration
grand_parent: Deployment
nav_order: 3
---
# Traefik2
[Traefik 2.x] is a reverse proxy supported by **Authelia**.
## Configuration
Below you will find commented examples of the following configuration:
* Traefik 2.x
* Authelia portal
* Protected endpoint (Nextcloud)
* Protected endpoint with `Authorization` header for basic authentication (Heimdall)
The below configuration looks to provide examples of running Traefik 2.x with labels to protect your endpoint (Nextcloud in this case).
Please ensure that you also setup the respective [ACME configuration](https://docs.traefik.io/https/acme/) for your Traefik setup as this is not covered in the example below.
### Basic Authentication
Authelia provides the means to be able to authenticate your first factor via the `Proxy-Authorization` header, this is compatible with Traefik >= 2.4.1.
If you are running Traefik < 2.4.1, or you have a use-case which requires the use of the `Authorization` header/basic authentication login prompt you can call Authelia's `/api/verify` endpoint with the `auth=basic` query parameter to force a switch to the `Authentication` header.
##### docker-compose.yml
```yml
version: '3'
networks:
net:
driver: bridge
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- net
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
- 'traefik.http.routers.api.entrypoints=https'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.routers.api.tls=true'
ports:
- 80:80
- 443:443
command:
- '--api'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
- '--log=true'
- '--log.level=DEBUG'
- '--log.filepath=/var/log/traefik.log'
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- /path/to/authelia:/config
networks:
- net
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`login.example.com`)'
- 'traefik.http.routers.authelia.entrypoints=https'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com/'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
expose:
- 9091
restart: unless-stopped
environment:
- TZ=Australia/Melbourne
nextcloud:
image: linuxserver/nextcloud
container_name: nextcloud
volumes:
- /path/to/nextcloud/config:/config
- /path/to/nextcloud/data:/data
networks:
- net
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.nextcloud.rule=Host(`nextcloud.example.com`)'
- 'traefik.http.routers.nextcloud.entrypoints=https'
- 'traefik.http.routers.nextcloud.tls=true'
- 'traefik.http.routers.nextcloud.middlewares=authelia@docker'
expose:
- 443
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=Australia/Melbourne
heimdall:
image: linuxserver/heimdall
container_name: heimdall
volumes:
- /path/to/heimdall/config:/config
networks:
- net
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.heimdall.rule=Host(`heimdall.example.com`)'
- 'traefik.http.routers.heimdall.entrypoints=https'
- 'traefik.http.routers.heimdall.tls=true'
- 'traefik.http.routers.heimdall.middlewares=authelia-basic@docker'
expose:
- 443
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=Australia/Melbourne
```
## FAQ
### Middleware authelia@docker not found
If Traefik and Authelia are defined in different docker compose stacks you may experience
an issue where Traefik complains that: `middleware authelia@docker not found`.
This can be avoided a couple different ways:
1. Ensure Authelia container is up before Traefik is started:
- Utilise the [`depends_on` option](https://docs.docker.com/compose/compose-file/#depends_on)
2. Define the Authelia middleware on your Traefik container
```yaml
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com/'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
```
[Traefik 2.x]: https://docs.traefik.io/
Reference in New Issue View Git Blame Copy Permalink