-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy: support external access control request handling (forward auth) #324
Conversation
Codecov Report
@@ Coverage Diff @@
## master #324 +/- ##
========================================
- Coverage 88.9% 88.7% -0.3%
========================================
Files 49 49
Lines 2638 2679 +41
========================================
+ Hits 2346 2377 +31
- Misses 221 228 +7
- Partials 71 74 +3
|
What about this example? Pomerium as auth service is hidden behind Traefik. ( Thats why I wanted to have Pomerium with optional TLS )
|
@lukasmrtvy -- Yes, that should work just fine but would require the TLS change ( #64 ) which I'm also taking another look at. In that case, Traefik would be responsible for handling all routing and certificates. |
f95b7c0
to
5cfcbb8
Compare
1d49b55
to
f24122f
Compare
769b0c6
to
caa9377
Compare
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
caa9377
to
285c081
Compare
This is awesome ! Any chance to have an example with ambassador as well ? Thanks in advance. |
@tlvenn not at the moment but we'd love the contribution. However, looking at the docs, the approach looks extremely similar to nginx and traefik so it should work out the box. |
Hi @desimone, thanks for providing this. Is there a complete docker-compose example of how to use pomerium was a forward auth middleware for ingresses such as Traefik? The example you gave above appears to be missing the pomerium service and config. There seems to be some example https://github.com/pomerium/pomerium/tree/master/examples/traefik but it does not appear to work as expected. Ideally, Traefik would be responsible for managing TLS comms and the pomerium would be just over HTTP. Also, the IAP would only be accessible internally as middleware, not directly via the browser. I've seen merged pull requests for both of these but nothing in the docs to reflect it, making it difficult to use. Effectively I'm looking to use pomerium in the same way that https://github.com/thomseddon/traefik-forward-auth supports. |
Can you elaborate what's exactly "not appear to work as expected"? |
Hi @cuonglm, thanks for looking into this. It could be that I have my configuration wrong, please see: My configuration is almost identical to the one in the example except that I have different IDP creds, have changed the policy domain to my domain, and I've changed the pomerium.forwardauth.address to point to the local pomerium (http://pomerium), which is typically how forward auth and IAPs are used with Traefik. The example config has this in: This service appears to just return a 200, presumably allowing all messages through when used as a forward auth, rather than using pomerium? Why is this address used in the example? Configuring it to point to the local instance causes a 403 through the browser, and through postman with a valid token redirects me to my IDP login page. I have an extract of the failure logs here when accessing via the browser: https://pastebin.com/r1LTyCt8 On top of this, it is not clear to me why the pomerium instance is exposed via traefik: |
Hey @lyndon160 this is an error introduced in a recent repo reorganization. #1128 should fix it. For the v0.9.4 version of Pomerium it should be: - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/?uri=https://httpbin.localhost.pomerium.io" This will work without the |
Hey @travisgroth thanks for the help, for the browser flow, this seems to be working as expected now. However, when I use postman with the same client and password grant type, pomerium errors saying:
The result is that postman gets a login page in return, which is not the expected behaviour. |
@travisgroth thanks for the help. My issue was answered in #1130. Unfortunately Pomerium does not appear to suit my use case. |
Flow
diagram
In action
Not that exciting, but I guess that's the point. Subsequent calls to any other routes will be transparent as well.
https://www.youtube.com/watch?v=WXE79juX7zk&feature=youtu.be
Example config
Using Traefik forwardauth
And using nginx-ingress .
Checklist: