Skip to content
/ traefik-auth-cloudflare Public

Forward auth server to verify Cloudflare Access JWT tokens with traefik

License

MIT license
36 stars 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

adrienkohlbecker/traefik-auth-cloudflare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
example
example
 
 
.gitignore
.gitignore
 
 
AUTHORS
AUTHORS
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

traefik-auth-cloudflare

Forward auth server to verify Cloudflare Access JWT tokens with traefik

GitHub release docker hub

Description

traefik-auth-cloudflare is designed to be a forward auth server for traefik and Cloudflare Access.

When forwarding a user's request to your application, Cloudflare Access will include a signed JWT as a HTTP header. This JWT needs to be authenticated to ensure the request has been signed by Cloudflare and has gone through their servers.

Documentation on how to validate the JWT can be found here https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.

Using traefik-auth-cloudflare, you can configure your traefik instance to correctly authenticate cloudflare requests, and you can serve multiple authenticated applications from a single instance.

Example

Look into the example directory to find example docker-compose.yml and traefik.toml files.

How to use

  • Start an instance of traefik-auth-cloudflare in the same docker network as traefik. ideally this is a distinct network from your applications.
# create network for traefik->traefik-auth-cloudflare communication

$ docker network create traefik-auth

# start traefik-auth-cloudflare (default port is 8080)
# you need to set the auth domain you configured on cloudflare

$ docker run -d --network traefik-auth --name traefik-auth-cloudflare akohlbecker/traefik-auth-cloudflare --auth-domain https://foo.cloudflareaccess.com

# add traefik to your `traefik-auth` docker network (left to the reader)

$ docker network connect traefik-auth TRAEFIK_CONTAINER
  • Configure your router to authenticate requests using traefik-auth-cloudflare
# start your app with auth settings
# the Application Audience (aud) tag needs to be set as an URL parameter: `/auth/{audience}`

$ docker run \
  --label "traefik.http.routers.myapp.middlewares=myapp-auth@docker" \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.address=http://traefik-auth-cloudflare:8080/auth/a83fd537ee93f21e86e51ab3c88f84ef07fd388865c7d0c3236947a8cf79daf5" \
  ....
  • Optionally, configure traefik to forward the authenticated user header to your application
# start your app with auth user forward
# the http header is `X-Auth-User`

$ docker run \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.authResponseHeaders=X-Auth-User" \
  ....

About

Forward auth server to verify Cloudflare Access JWT tokens with traefik

Resources

Readme

License

MIT license
Activity

Stars

36 stars

Watchers

3 watching

Forks

13 forks
Report repository

Releases 2

2.0 Latest
Aug 16, 2021
+ 1 release

Packages

 
 
 

Contributors 3

  •  
  •  
  •  

Languages