Hello again,
I'm trying to use LDAP authentication with nginx-ldap-auth and Jumpcloud.
Here the config:
traefik:
command:
- --accesslog=true
- --api.dashboard=true
# docker
- --providers.docker=true
- --providers.docker.network=${COMPOSE_PROJECT_NAME}_backend
# file dynamic conf
- --providers.file.directory=/etc/traefik/conf
- --providers.file.watch=true
# acme
- --certificatesResolvers.cf.acme.email=${EMAIL}
- --certificatesResolvers.cf.acme.storage=/etc/traefik/acme.json
- --certificatesResolvers.cf.acme.dnsChallenge=true
- --certificatesResolvers.cf.acme.dnsChallenge.provider=cloudflare
# entrypoints
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --log.level=INFO
depends_on:
- ldap_auth
environment:
- "CLOUDFLARE_EMAIL=${CF_MAIL}"
- "CLOUDFLARE_API_KEY=${CF_KEY}"
image: traefik:cantal
labels:
# middleware redirect
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
# global redirect to https
- "traefik.http.routers.upgrade.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.upgrade.entrypoints=http"
- "traefik.http.routers.upgrade.middlewares=https-redirect"
- "traefik.http.routers.api.middlewares=ldap-auth"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.tls.certresolver=cf"
- "traefik.http.routers.api.tls.domains[0].main=${DOMAIN}"
- "traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}"
- "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.middlewares.ldap-auth.forwardauth.address=http://${DOMAIN}/auth"
networks:
- backend
- default
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events
- "${MOUNT}/traefik:/etc/traefik"
ldap_auth:
command: >-
python /usr/src/app/nginx-ldap-auth-daemon.py
--host 0.0.0.0
--url ldap://ldap.jumpcloud.com:389
--starttls starttls
-b "${LDAP_BASEDN}"
-D "${LDAP_BINDDN}"
-w "${LDAP_PASS}"
--filter "uid=%(username)s"
expose:
- "8888"
image: devster31/nginx-ldap-auth
labels:
- "traefik.http.routers.nginx-ldap-auth.rule=PathPrefix(`/auth`)"
- "traefik.http.routers.nginx-ldap-auth.tls=true"
- "traefik.http.routers.nginx-ldap-auth.tls.certresolver=cf"
- "traefik.http.routers.nginx-ldap-auth.middlewares=cors-header"
- "traefik.http.middlewares.cors-header.headers.accesscontrolalloworigin=*"
networks:
- backend
restart: unless-stopped
and here the issue:
curl --head -L http://alioth.ovh/auth
HTTP/1.1 307 Temporary Redirect
Location: https://alioth.ovh/auth
Date: Sun, 12 Jan 2020 02:55:08 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
HTTP/2 501
access-control-allow-origin: *
content-type: text/html
date: Sun, 12 Jan 2020 02:55:08 GMT
server: BaseHTTP/0.3 Python/2.7.16
I believe the catchall https redirect is forcing the request to nginx-ldap-auth as https instead of http and that the former isn't supported by the daemon.
Is this the case?
Would there be a way to disable the catch-all for a single service or force the TLS termination before making the request to the backend?