Configure Traefik proxy to redirect WordPress to a Keycloak forwardauth middleware for authentication before accessing the site

Traefik Traefik v2
1

We have setup traefik proxy docker container and wordpress docker container in our server. And we have a domain, if we call this domain then it wil redirect to traefik container port 80 and it will redirect it to wordpress site. Till here it is completed task. The project is for authentication purpose, whenever the wordpress site is loading then it should redirect to forwardauth middleware and then it should forward to keycloak container and ask user and password and fetch it form db and authenticate use the wordpress site.

code :

version: '3'

services:

traefik:

image: traefik:v2.4

command:

  - "--api.insecure=true"

  - "--providers.docker=true"

  - "--providers.docker.exposedbydefault=false"

  - "--providers.docker.network=traefik_network"

  - "--entrypoints.http.address=:80"

ports:

  - "80:80"

  - "8080:8080"

volumes:

  - /var/run/docker.sock:/var/run/docker.sock

labels:

  - "traefik.enable=true"

  - "traefik.http.routers.traefik.rule=Host(`roshan.live`) && PathPrefix(`/db`)"

  - "traefik.http.routers.traefik.entrypoints=http"

  - "traefik.port=8080"

networks:

  - traefik_network

wordpress:

image: wordpress

restart: always

environment:

  WORDPRESS_DB_HOST: mysql

  WORDPRESS_DB_USER: wpuser

  WORDPRESS_DB_PASSWORD: wppassword

  WORDPRESS_DB_NAME: wpdb

labels:

  - "traefik.enable=true"

  - "traefik.http.routers.wordpress.rule=Host(`roshan.live`)"

  - "traefik.http.routers.wordpress.entrypoints=http"

  - "traefik.port=80"

networks:

  - traefik_network

volumes:

  - wp-data:/var/www/html

mysql:

image: mysql:5.7

restart: always

environment:

  MYSQL_ROOT_PASSWORD: rootpassword

  MYSQL_DATABASE: wpdb

  MYSQL_USER: wpuser

  MYSQL_PASSWORD: wppassword

volumes:

  - mysql_data:/var/lib/mysql

networks:

  - traefik_network

networks:

traefik_network:

external: true

volumes:

wp-data:

mysql_data:

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Format your code with 3 backticks in front and after, or select the code and press </> . In yaml every space matters. And it makes it so much more readable for people trying to help you.

3

version: '3'

services:
traefik:
image: traefik:v2.4
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=traefik_network"
- "--entrypoints.http.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(domain.com) && PathPrefix(/db)"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.port=8080"
networks:
- traefik_network

wordpress:
image: wordpress
restart: always
environment:
WORDPRESS_DB_HOST: mysql
WORDPRESS_DB_USER: wpuser
WORDPRESS_DB_PASSWORD: wppassword
WORDPRESS_DB_NAME: wpdb
labels:
- "traefik.enable=true"
- "traefik.http.routers.wordpress.rule=Host(domain.com)"
- "traefik.http.routers.wordpress.entrypoints=http"
- "traefik.port=80"
networks:
- traefik_network
volumes:
- wp-data:/var/www/html

mysql:
image: mysql:5.7
restart: always
environment:
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: wpdb
MYSQL_USER: wpuser
MYSQL_PASSWORD: wppassword
volumes:
- mysql_data:/var/lib/mysql
networks:
- traefik_network

networks:
traefik_network:
external: true

volumes:
wp-data:
mysql_data:

4

@bluepuma77 Thank you for the reply.
shared above code with correct intentations, we are accessing http://domain.com and we are getting wordpress page using above code.
we need to access through https://domain.com but it is not working while setting entrypoint https and port 443.
please mention what changes should be done in this code to access traefik through https://domain.com.
And also kindly mention how to configure forward auth middleware for forwarding this to keycloak authentication.

5

For me the indentation is broken and not displayed in your last post, but it is important to see if a yaml file is correct.

To use a http->https forward check this simple Traefik example.

For ForwardAuth read the according Traefik ForwardAuth doc. To set Traefik up with keycloak, just check one of the many tutorials on the Internet (example 1, 2, 3).

7

version: '3'

services:
traefik:
image: traefik:v2.4

restart: always
command:
  - "--api.insecure=true"
  - "--providers.docker=true"
  - "--providers.docker.exposedbydefault=false"
  - "--providers.docker.network=traefik_network"
  - "--entrypoints.http.address=:80"
  - "--entrypoints.https.address=:443"  # Add HTTPS entrypoint
  - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
  - "--certificatesresolvers.myresolver.acme.email=roshanofficial27@gmail.com"
  - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
  - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http"
ports

  • "80:80"
    - "443:443" # Map the HTTPS port
    - "8080:8080"
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - ./letsencrypt:/letsencrypt # Mount a directory for Let's Encrypt data
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.traefik.rule=Host(roshan.live) && PathPrefix(/db)"
    - "traefik.http.routers.traefik.entrypoints=http,https" # Allow both HTTP and HTTPS
    - "traefik.http.routers.traefik.tls.certresolver=myresolver" # Use the certificate resolver
    - "traefik.port=8080"
    networks:
    - traefik_network

    wordpress:
    image: wordpress
    restart: always
    environment:
    WORDPRESS_DB_HOST: mysql
    WORDPRESS_DB_USER: wpuser
    WORDPRESS_DB_PASSWORD: wppassword
    WORDPRESS_DB_NAME: wpdb
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.wordpress.rule=Host(roshan.live)"
    - "traefik.http.routers.wordpress.entrypoints=http,https" # Allow both HTTP and HTTPS
    - "traefik.http.routers.wordpress.tls.certresolver=myresolver" # Use the certificate resolver
    - "traefik.port=80"
    networks:
    - traefik_network
    volumes:
    - wp-data:/var/www/html

    mysql:
    image: mysql:5.7
    restart: always
    environment:
    MYSQL_ROOT_PASSWORD: rootpassword
    MYSQL_DATABASE: wpdb
    MYSQL_USER: wpuser
    MYSQL_PASSWORD: wppassword
    volumes:
    - mysql_data:/var/lib/mysql
    networks:
    - traefik_network

networks:
traefik_network:
external: true

volumes:
wp-data:
mysql_data:

8

@bluepuma77 above code is working i am not able to correct intentation, i am attaching github link it has
docker compose to load wordpress in https, and keycloak container setting command also.

i need to configure forwardauth middleware for getting authentication in wordpress page using keycloak. i have configured forwardauth by referring these above documents you shared, but it is not working. also attached that file also. please refer and help.

9

Format your code with 3 backticks in front and after, or select the code and press </> . In yaml every space matters. And it makes it so much more readable for people trying to help you.

10

Not sure what this should be doing on Traefik:

      - "traefik.http.routers.traefik.rule=Host(`roshan.live`) && PathPrefix(`/db`)"

Traefik container does not respond to that URL, you would only get a 404 error.

For the service you want to protect, you need to add the middleware in the services labels (doc):

  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"

But note that you can't do any role management with this, as WordPress would need to support getting the user/role data via headers. So you can only grant access to WordPress or not at all.

For more guidance just check any tutorial on Traefik/Keycloak: 1, 2, 3

11

Hi Roshan,

instead of using a forwardauth middleware you could also use oauth2-proxy and chain it between Traefik and WordPress.