This article was last updated on: July 24, 2024 am
preface
Traefik is a modern HTTP reverse proxy and load balancer that makes it easy to deploy microservices.
Traefik works with multiple existing infrastructure components (Docker, Swarm patterns, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS…). Integrate and configure yourself automatically and dynamically.
Series:
Today we detail how authentication functionality can be implemented via forwardauth based on Traefik on K8S and integrated with OAuth 2.0 or CAS via ForwardAuth.
ForwardAuth middleware delegates authentication to an external service. If the service response code is 2XX, access is granted and the original request is executed. Otherwise, a response from the authentication server is returned.
Simple configuration of ForwardAuth
Create the ForwardAuth middleware as follows:
1 2 3 4 5 6 7 8 9 10 11 apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: forward-auth spec: forwardAuth: address: http://your_auth_server/oauth2.0/validate authResponseHeaders: - Authorization trustForwardHeader: true
In addition, generally for security reasons, some security-related headers will be added, as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: secure-header spec: headers: browserXssFilter: true contentTypeNosniff: true customResponseHeaders: Cache-Control: max-age=31536000 Pragma: no -cache Set-Cookie: secure forceSTSHeader: true stsIncludeSubdomains: true stsSeconds: 14400
Of course, it is also for safety reasons, it will be used HTTP redirects to HTTPS .
After that, the example configuration for creating an IngressRoute is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: alertmanager spec: routes: - kind: Rule match: Host(`e-whisper.com`) && PathPrefix(`/alertmanager/`) middlewares: - name: redirectshttps - name: secure-header - name: forward-auth services: - name: alertmanager port: 9093
🎉Finish!
Use OAuth Proxy and Traefik ForwardAuth integration
Create middleware for ForwardAuth 401 errors
Traefik v2 ForwardAuth middleware allows Traefik to pass through the oauth2-agent /oauth2/auth
The endpoint authenticates each request and only returns 202 Accepted
Response or401 Unauthorized
without proxies the entire request.
oauth-errors
and oauth-auth
Middleware
Purpose: Add headers to OAuth URLs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: auth-headers spec: headers: sslRedirect: true stsSeconds: 315360000 browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true sslHost: e-whisper.com stsIncludeSubdomains: true stsPreload: true frameDeny: true
Purpose: Forwardauth
1 2 3 4 5 6 7 8 apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: oauth-auth spec: forwardAuth: address: https://oauth.e-whisper.com/oauth2/auth trustForwardHeader: true
Purpose: ForwardAuth returns 401-403 and redirects to the login page
1 2 3 4 5 6 7 8 9 10 apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: oauth-errors spec: errors: status: - "401-403" service: oauth-backend query: "/oauth2/sign_in"
oauth’s IngressRoute configuration:
1 2 3 4 5 6 7 8 9 10 11 12 13 apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: oauth spec: routes: - kind: Rule match: "Host(`e-whisper.com`, `oauth.e-whisper.com`) && PathPrefix(`/oauth2/`)" middlewares: - name: auth-headers services: - name: oauth-backend port: 4180
IngressRoute configuration for other applications that use oauth:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: alertmanager spec: routes: - kind: Rule match: Host(`e-whisper.com`) && PathPrefix(`/alertmanager/`) middlewares: - name: redirectshttps - name: oauth-errors - name: oauth-auth services: - name: alertmanager port: 9093
🎉Finish!
📚️ Reference documentation
EOF