Skip to content

Commit

Permalink
Merge pull request #44 from whole-tale/forward-auth
Browse files Browse the repository at this point in the history 
Add support for authentication and authorization of user accessing instances
  • Loading branch information
@craig-willis
craig-willis committed Mar 17, 2021
2 parents e85090b + 425e82d commit 04959b8
Show file tree
Hide file tree
Showing 4 changed files with 76 additions and 88 deletions.
59 changes: 23 additions & 36 deletions docker-stack.yml
View file
Expand Up @@ -2,7 +2,7 @@ version: '3.2'

services:
traefik:
image: traefik:alpine
image: traefik:v2.4
ports:
- "80:80"
- "443:443"
Expand All @@ -15,6 +15,8 @@ services:
- ./traefik/acme:/acme
deploy:
replicas: 1
labels:
- "traefik.enable=false"
environment:
- GODADDY_API_KEY=$WT_GODADDY_API_KEY
- GODADDY_API_SECRET=$WT_GODADDY_API_SECRET
Expand All @@ -28,10 +30,12 @@ services:
- mongo-cfg:/data/configdb
deploy:
replicas: 1
labels:
- "traefik.enable=false"


girder:
image: wholetale/girder:latest
image: wholetale/girder:cookie
networks:
- traefik-net
- celery
Expand All @@ -56,12 +60,15 @@ services:
deploy:
replicas: 1
labels:
- "traefik.frontend.rule=Host:girder.local.wholetale.org"
- "traefik.port=8080"
- "traefik.enable=true"
- "traefik.http.routers.girder.rule=Host(`girder.local.wholetale.org`)"
- "traefik.http.routers.girder.entrypoints=websecure"
- "traefik.http.routers.girder.tls=true"
- "traefik.http.services.girder.loadbalancer.server.port=8080"
- "traefik.http.services.girder.loadbalancer.passhostheader=true"
- "traefik.docker.network=wt_traefik-net"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.entryPoints=https"
- "traefik.http.middlewares.girder.forwardauth.address=http://girder:8080/api/v1/instance/authorize/"
- "traefik.http.middlewares.girder.forwardauth.trustforwardheader=true"

redis:
image: redis:4-stretch
Expand All @@ -72,28 +79,6 @@ services:
labels:
- "traefik.enable=false"

dashboard_old:
image: wholetale/dashboardproxy:latest
# build: ./dashboard_local
networks:
- traefik-net
environment:
- GIRDER_API_URL=https://girder.local.wholetale.org
- AUTH_PROVIDER=Globus
- DATAONE_URL=https://cn-stage-2.test.dataone.org
- DASHBOARD_DEV=true
volumes:
- ./src/dashboard/dist:/srv/dashboard
deploy:
replicas: 1
labels:
- "traefik.port=80"
- "traefik.frontend.rule=Host:legacy.local.wholetale.org"
- "traefik.enable=true"
- "traefik.docker.network=wt_traefik-net"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.entryPoints=https"

dashboard:
image: wholetale/ngx-dashboard:latest
networks:
Expand All @@ -106,12 +91,13 @@ services:
deploy:
replicas: 1
labels:
- "traefik.port=80"
- "traefik.frontend.rule=Host:dashboard.local.wholetale.org"
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`dashboard.local.wholetale.org`)"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.services.dashboard.loadbalancer.server.port=80"
- "traefik.http.services.dashboard.loadbalancer.passhostheader=true"
- "traefik.docker.network=wt_traefik-net"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.entryPoints=https"
volumes:
- ./src/ngx-dashboard/dist/browser/:/usr/share/nginx/html/

Expand All @@ -130,12 +116,13 @@ services:
deploy:
replicas: 1
labels:
- "traefik.port=5000"
- "traefik.frontend.rule=Host:registry.local.wholetale.org"
- "traefik.enable=true"
- "traefik.http.routers.registry.rule=Host(`registry.local.wholetale.org`)"
- "traefik.http.routers.registry.entrypoints=websecure"
- "traefik.http.routers.registry.tls=true"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
- "traefik.http.services.registry.loadbalancer.passhostheader=true"
- "traefik.docker.network=wt_traefik-net"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.entryPoints=https"

# celery_worker:
# image: wholetale/gwvolman
Expand Down
2 changes: 1 addition & 1 deletion run_worker.sh
View file
Expand Up @@ -24,7 +24,7 @@ docker run \
-e DEV=true \
-e DOMAIN=${domain} \
-e TRAEFIK_NETWORK=wt_traefik-net \
-e TRAEFIK_ENTRYPOINT=https \
-e TRAEFIK_ENTRYPOINT=websecure \
-e REGISTRY_USER=${registry_user} \
-e REGISTRY_URL=https://registry.${domain} \
-e REGISTRY_PASS=${registry_pass} \
Expand Down
1 change: 1 addition & 0 deletions setup_girder.py
View file
Expand Up @@ -107,6 +107,7 @@ def final_msg():
"X-Forwarded-Host, Remote-Addr, Cache-Control"
),
},
{"key": "core.cookie_domain", "value": ".local.wholetale.org"},
{"key": "worker.api_url", "value": "http://girder:8080/api/v1"},
{"key": "worker.broker", "value": "redis://redis/"},
{"key": "worker.backend", "value": "redis://redis/"},
Expand Down
102 changes: 51 additions & 51 deletions traefik/traefik.toml
View file
@@ -1,69 +1,69 @@
graceTimeOut = "10s"
debug = false
checkNewVersion = false
logLevel = "INFO"

# If set to true invalid SSL certificates are accepted for backends.
# Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
# Optional
# Default: false
#
# InsecureSkipVerify = true

defaultEntryPoints = ["http", "https"]

[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#MinVersion = "VersionTLS12"
#CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"]
MinVersion = "VersionTLS10"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"

[web]
address = ":8080"
[entryPoints.websecure]
address = ":443"

[acme]
email = "bgates@microsoft.com" # FIXME
storage = "/acme/acme.json"
entryPoint = "https"
acmeLogging = true
[providers]
providersThrottleDuration = "2s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = true
swarmMode = true
swarmModeRefreshSeconds = "15s"
httpClientTimeout = "0s"
defaultRule = "Host(`{{ trimPrefix `/` .Name }}.local.wholetale.org`)"

[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 1800
[tls.options]
[tls.options.default]
minVersion = "VersionTLS10"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
]

[[acme.domains]]
main = "*.local.wholetale.org"
[api]
debug = false
dashboard = true
insecure = true

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "local.wholetale.org"
watch = true
exposedbydefault = true
swarmmode = true
[log]
level = "DEBUG"

[accessLog]
filePath = "/etc/traefik/access.log"
format = "json"

bufferingSize = 0
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true

minDuration = "0s"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"

ClientUsername = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
Authorization = "drop"
Content-Type = "keep"
User-Agent = "redact"

[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "bgates@microsoft.com"
storage = "/acme/acme.json"
[certificatesResolvers.default.acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = "30m0s"
#entryPoint = "https"

0 comments on commit 04959b8

Please sign in to comment.