-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Traefik tuning for forward auth #616
Comments
Edit: The problem as I understand it is that Traefik will strip the (source) This is unfortunate and may require a change to Traefik code if I am reading things correctly. It may also be beneficial to see how other Traefik forward auth plugins work. |
One final thing you could do is route your forward auth locally instead of externally. This seems to be what is happening for other Traefik forward auth providers. These are snippets from some local testing of this approach:
httpbin:
image: "kennethreitz/httpbin"
labels:
- "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=x-pomerium-jwt-assertion"
- "traefik.http.middlewares.pomerium.forwardauth.address=http://fwdauth:80"
- "traefik.http.routers.httpbin.middlewares=pomerium@docker"
- "traefik.enable=true"
- "traefik.http.routers.httpbin.rule=Host(`httpbin.corp`)"
- "traefik.http.routers.httpbin.entrypoints=websecure"
- "traefik.http.routers.httpbin.tls.certresolver=myresolver"
pomerium:
image: pomerium/pomerium:master
networks:
default:
aliases:
- fwdauth
volumes:
- ./config/pomerium/config.yaml:/pomerium/config.yaml:ro
labels:
- "traefik.http.services.pomerium.loadbalancer.server.port=80"
- "traefik.enable=true"
- "traefik.http.routers.pomerium.rule=Host(`authenticate.corp`)"
- "traefik.http.routers.pomerium.entrypoints=websecure"
- "traefik.http.routers.pomerium.tls.certresolver=myresolver" config.yaml: address: :80
forward_auth_url: http://fwdauth:80
authenticate_service_url: https://authenticate.corp
policy:
- from: https://httpbin.corp
to: http://httpbin.localhost
allowed_users:
- myemail@gmail.com This requires that everything is locally route-able, which I'm not sure is the case for advanced usages of docker-compose. Definitely worth more discussion from people less new to Pomerium than I. |
What about whitelisting whole internal cluster cidr ? For example default k3s cidr: EDIT: can confirm that with internal forward_auth_url, you dont need to set trustedIPs |
The docker-compose example was updated with the |
If your are using Traefik to proxy requests to the pomerium proxy acting as forward auth component, then, it is required to configure traefik so that it allows "X-Fowarded-*" headers.
See https://docs.traefik.io/v2.0/routing/entrypoints/#forwarded-header
The text was updated successfully, but these errors were encountered: