Add support for authentication and authorization of user accessing instances

docker-stack.yml

@@ -2,7 +2,7 @@ version: '3.2'
 
 services:
   traefik:
-    image: traefik:alpine
+    image: traefik:v2.4
     ports:
       - "80:80"
       - "443:443"
@@ -15,6 +15,8 @@ services:
       - ./traefik/acme:/acme
     deploy:
       replicas: 1
+      labels:
+        - "traefik.enable=false"
     environment:
       - GODADDY_API_KEY=$WT_GODADDY_API_KEY
       - GODADDY_API_SECRET=$WT_GODADDY_API_SECRET
@@ -28,10 +30,12 @@ services:
       - mongo-cfg:/data/configdb
     deploy:
       replicas: 1
+      labels:
+        - "traefik.enable=false"
 
 
   girder:
-    image: wholetale/girder:latest
+    image: wholetale/girder:cookie
     networks:
       - traefik-net
       - celery
@@ -56,12 +60,15 @@ services:
     deploy:
       replicas: 1
       labels:
-        - "traefik.frontend.rule=Host:girder.local.wholetale.org"
-        - "traefik.port=8080"
         - "traefik.enable=true"
+        - "traefik.http.routers.girder.rule=Host(`girder.local.wholetale.org`)"
+        - "traefik.http.routers.girder.entrypoints=websecure"
+        - "traefik.http.routers.girder.tls=true"
+        - "traefik.http.services.girder.loadbalancer.server.port=8080"
+        - "traefik.http.services.girder.loadbalancer.passhostheader=true"
         - "traefik.docker.network=wt_traefik-net"
-        - "traefik.frontend.passHostHeader=true"
-        - "traefik.frontend.entryPoints=https"
+        - "traefik.http.middlewares.girder.forwardauth.address=http://girder:8080/api/v1/instance/authorize/"
+        - "traefik.http.middlewares.girder.forwardauth.trustforwardheader=true"
 
   redis:
     image: redis:4-stretch
@@ -72,28 +79,6 @@ services:
       labels:
         - "traefik.enable=false"
 
-  dashboard_old:
-    image: wholetale/dashboardproxy:latest
-    # build: ./dashboard_local
-    networks:
-      - traefik-net
-    environment:
-      - GIRDER_API_URL=https://girder.local.wholetale.org
-      - AUTH_PROVIDER=Globus
-      - DATAONE_URL=https://cn-stage-2.test.dataone.org
-      - DASHBOARD_DEV=true
-    volumes:
-      - ./src/dashboard/dist:/srv/dashboard
-    deploy:
-      replicas: 1
-      labels:
-        - "traefik.port=80"
-        - "traefik.frontend.rule=Host:legacy.local.wholetale.org"
-        - "traefik.enable=true"
-        - "traefik.docker.network=wt_traefik-net"
-        - "traefik.frontend.passHostHeader=true"
-        - "traefik.frontend.entryPoints=https"
-
   dashboard:
     image: wholetale/ngx-dashboard:latest
     networks:
@@ -106,12 +91,13 @@ services:
     deploy:
       replicas: 1
       labels:
-        - "traefik.port=80"
-        - "traefik.frontend.rule=Host:dashboard.local.wholetale.org"
         - "traefik.enable=true"
+        - "traefik.http.routers.dashboard.rule=Host(`dashboard.local.wholetale.org`)"
+        - "traefik.http.routers.dashboard.entrypoints=websecure"
+        - "traefik.http.routers.dashboard.tls=true"
+        - "traefik.http.services.dashboard.loadbalancer.server.port=80"
+        - "traefik.http.services.dashboard.loadbalancer.passhostheader=true"
         - "traefik.docker.network=wt_traefik-net"
-        - "traefik.frontend.passHostHeader=true"
-        - "traefik.frontend.entryPoints=https"
     volumes:
       - ./src/ngx-dashboard/dist/browser/:/usr/share/nginx/html/
 
@@ -130,12 +116,13 @@ services:
     deploy:
       replicas: 1
       labels:
-        - "traefik.port=5000"
-        - "traefik.frontend.rule=Host:registry.local.wholetale.org"
         - "traefik.enable=true"
+        - "traefik.http.routers.registry.rule=Host(`registry.local.wholetale.org`)"
+        - "traefik.http.routers.registry.entrypoints=websecure"
+        - "traefik.http.routers.registry.tls=true"
+        - "traefik.http.services.registry.loadbalancer.server.port=5000"
+        - "traefik.http.services.registry.loadbalancer.passhostheader=true"
         - "traefik.docker.network=wt_traefik-net"
-        - "traefik.frontend.passHostHeader=true"
-        - "traefik.frontend.entryPoints=https"
 
 #  celery_worker:
 #    image: wholetale/gwvolman

run_worker.sh

@@ -24,7 +24,7 @@ docker run \
     -e DEV=true \
     -e DOMAIN=${domain} \
     -e TRAEFIK_NETWORK=wt_traefik-net \
-    -e TRAEFIK_ENTRYPOINT=https \
+    -e TRAEFIK_ENTRYPOINT=websecure \
     -e REGISTRY_USER=${registry_user} \
     -e REGISTRY_URL=https://registry.${domain} \
     -e REGISTRY_PASS=${registry_pass} \

setup_girder.py

@@ -107,6 +107,7 @@ def final_msg():
             "X-Forwarded-Host, Remote-Addr, Cache-Control"
         ),
     },
+    {"key": "core.cookie_domain", "value": ".local.wholetale.org"},
     {"key": "worker.api_url", "value": "http://girder:8080/api/v1"},
     {"key": "worker.broker", "value": "redis://redis/"},
     {"key": "worker.backend", "value": "redis://redis/"},

traefik/traefik.toml

@@ -1,69 +1,69 @@
-graceTimeOut = "10s"
-debug = false
-checkNewVersion = false
-logLevel = "INFO"
-
-# If set to true invalid SSL certificates are accepted for backends.
-# Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
-# Optional
-# Default: false
-#
-# InsecureSkipVerify = true
-
-defaultEntryPoints = ["http", "https"]
-
 [entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-       entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    #MinVersion = "VersionTLS12"
-    #CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"]
-    MinVersion = "VersionTLS10"
-    CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
+  [entryPoints.web]
+    address = ":80"
+    [entryPoints.web.http]
+      [entryPoints.web.http.redirections]
+        [entryPoints.web.http.redirections.entryPoint]
+          to = "websecure"
+          scheme = "https"
 
-[web]
-address = ":8080"
+  [entryPoints.websecure]
+    address = ":443"
 
-[acme]
-email = "bgates@microsoft.com"   # FIXME
-storage = "/acme/acme.json"
-entryPoint = "https"
-acmeLogging = true
+[providers]
+  providersThrottleDuration = "2s"
+  [providers.docker]
+    watch = true
+    endpoint = "unix:///var/run/docker.sock"
+    exposedByDefault = true
+    swarmMode = true
+    swarmModeRefreshSeconds = "15s"
+    httpClientTimeout = "0s"
+    defaultRule = "Host(`{{ trimPrefix `/` .Name }}.local.wholetale.org`)"
 
-[acme.dnsChallenge]
-provider = "godaddy"
-delayBeforeCheck = 1800
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS10"
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_RSA_WITH_AES_256_CBC_SHA"
+   ]
 
-[[acme.domains]]
-main = "*.local.wholetale.org"
+[api]
+  debug = false
+  dashboard = true
+  insecure = true
 
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-domain = "local.wholetale.org"
-watch = true
-exposedbydefault = true
-swarmmode = true
+[log]
+  level = "DEBUG"
 
 [accessLog]
-  filePath = "/etc/traefik/access.log"
   format = "json"
-
+  bufferingSize = 0
   [accessLog.filters]
     statusCodes = ["200", "300-302"]
     retryAttempts = true
-
+    minDuration = "0s"
   [accessLog.fields]
     defaultMode = "keep"
     [accessLog.fields.names]
-      "ClientUsername" = "drop"
-
+      ClientUsername = "drop"
     [accessLog.fields.headers]
       defaultMode = "keep"
       [accessLog.fields.headers.names]
-        "User-Agent" = "redact"
-        "Authorization" = "drop"
-        "Content-Type" = "keep"
+        Authorization = "drop"
+        Content-Type = "keep"
+        User-Agent = "redact"
+
+[certificatesResolvers]
+  [certificatesResolvers.default]
+    [certificatesResolvers.default.acme]
+      email = "bgates@microsoft.com"
+      storage = "/acme/acme.json"
+      [certificatesResolvers.default.acme.dnsChallenge]
+        provider = "godaddy"
+        delayBeforeCheck = "30m0s"
+        #entryPoint = "https"