Hi there, I am for sure doing some things badly, my goal would be to use traefik to forward auth requests to my services with keycloak, with the sample paste bin in my browser it works (it requires keycloak login)
But I want to be able to auth the api requests too to my services running in .net, also I heard I could hide them behind traefik so they shouldn't even need to requires ssl/httpS because they sit behind the authorization process, currently when I generate an accesstoken and put it in postman for the bearer token I still get returned the keycloak login page as response, is it a keycloak setup or a docker compose setup issue?
Also do I need to put [Authorize] on my controllers if I have already added the keycloak middleware on the service as forward auth?
here is my docker-compose:
secrets:
cloudflare-token:
file: "./secrets/cloudflare-token.secret"
cloudflare-email:
file: "./secrets/cloudflare-email.secret"
services:
traefik:
image: "traefik:v2.11"
restart: always
container_name: "traefik"
networks:
- mynetwork
command:
- "--log.level=DEBUG"
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --api.dashboard=true
#- --insecureSkipVerify=true
# Set up LetsEncrypt certificate resolver
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
- --certificatesresolvers.letsencrypt.acme.email=[myemail]@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
# staging environment of LE, remove for real certs
#- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
# Set up an insecure listener that redirects all traffic to TLS
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# - --entrypoints.websecure.http.middlewares=traefik-forward-auth
# Set up the TLS configuration for our websecure listener
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=mydomain.com
- --entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.com
secrets:
- "cloudflare-token"
- "cloudflare-email"
environment:
- "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token"
- "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email"
ports:
- "80:80"
- "443:443"
volumes:
- "./certs:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(traefik.dev.mydomain.com)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:{SHA}Et6pb+wgWTVmq3VpLJlJWWgzrck="
paste-bin:
container_name: paste-bin
image: Package hasty-paste · GitHub
restart: unless-stopped
depends_on:
- traefik-forward-auth
networks:
- mynetwork
labels:
- "traefik.enable=true"
- 'traefik.http.routers.paste.rule=Host(paste.dev.mydomain.com)'
- "traefik.http.routers.paste.entrypoints=websecure"
- "traefik.http.routers.paste.tls.certresolver=letsencrypt"
- "traefik.http.routers.paste.middlewares=forwardauth"
traefik-forward-auth:
image: mesosphere/traefik-forward-auth
container_name: traefik-forward-auth
restart: on-failure
depends_on:
- traefik
- keycloak
environment:
- TZ=Europe/Berlin
- SECRET=secret
- PROVIDER_URI=https://keycloak.dev.mydomain.com/realms/myrealm
- CLIENT_ID=flutter-client
- CLIENT_SECRET=secrettt
- COOKIE_DOMAIN=https://dev.mydomain.com
- DISABLE_SSL_VERIFICATION=true
- INSECURE_COOKIE=1
- ENCRYPTION_KEY=key
- SCOPE=profile email openid
networks:
- mynetwork
labels:
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
- "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"
keycloak:
image: quay.io/keycloak/keycloak:24.0
container_name: keycloak
hostname: keycloak
environment:
- KC_HOSTNAME_STRICT=false
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloakdb/keycloak
- KC_DB_URL_PORT=5432
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=password
- KC_DB_SCHEMA=public
- KC_LOG_LEVEL=info
- KC_FEATURES=docker
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_PROXY=edge
networks:
- mynetwork
depends_on:
- traefik
- keycloakdb
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(keycloak.dev.mydomain.com)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
events:
image: ${DOCKER_REGISTRY-}eventsapi
build:
context: .
dockerfile: Events/Events.Api/Dockerfile
ports:
- "8080"
environment:
- "EventBusSettings:HostAddress=amqp://guest:guest@rabbitmq:5672"
labels:
- "traefik.enable=true"
- "traefik.http.routers.events.rule=Host(api.dev.mydomain.com) && PathPrefix(/api/events)"
- "traefik.http.routers.events.middlewares=forwardauth"
networks:
- mynetwork
depends_on:
- traefik
- mongodb
- rabbitmq
Please use 3 backticks before and after code/config to make it more readable.
secrets:
cloudflare-token:
file: "./secrets/cloudflare-token.secret"
cloudflare-email:
file: "./secrets/cloudflare-email.secret"
services:
traefik:
image: "traefik:v2.11"
restart: always
container_name: "traefik"
networks:
- mynetwork
command:
- "--log.level=DEBUG"
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --api.dashboard=true
#- --insecureSkipVerify=true
# Set up LetsEncrypt certificate resolver
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
- --certificatesresolvers.letsencrypt.acme.email=[myemail]@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
# staging environment of LE, remove for real certs
#- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
# Set up an insecure listener that redirects all traffic to TLS
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# - --entrypoints.websecure.http.middlewares=traefik-forward-auth
# Set up the TLS configuration for our websecure listener
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=[mydomain.com](http://mydomain.com)
- --entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.com
secrets:
- "cloudflare-token"
- "cloudflare-email"
environment:
- "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token"
- "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email"
ports:
- "80:80"
- "443:443"
volumes:
- "./certs:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.dev.mydomain.com`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:{SHA}Et6pb+wgWTVmq3VpLJlJWWgzrck="
paste-bin:
container_name: paste-bin
image: [Package hasty-paste · GitHub](http://ghcr.io/enchant97/hasty-paste:latest)
restart: unless-stopped
depends_on:
- traefik-forward-auth
networks:
- mynetwork
labels:
- "traefik.enable=true"
- 'traefik.http.routers.paste.rule=Host(`paste.dev.mydomain.com`)'
- "traefik.http.routers.paste.entrypoints=websecure"
- "traefik.http.routers.paste.tls.certresolver=letsencrypt"
- "traefik.http.routers.paste.middlewares=forwardauth"
traefik-forward-auth:
image: mesosphere/traefik-forward-auth
container_name: traefik-forward-auth
restart: on-failure
depends_on:
- traefik
- keycloak
environment:
- TZ=Europe/Berlin
- SECRET=secret
- PROVIDER_URI=https://keycloak.dev.mydomain.com/realms/myrealm
- CLIENT_ID=flutter-client
- CLIENT_SECRET=secrettt
- COOKIE_DOMAIN=https://dev.mydomain.com
- DISABLE_SSL_VERIFICATION=true
- INSECURE_COOKIE=1
- ENCRYPTION_KEY=key
- SCOPE=profile email openid
networks:
- mynetwork
labels:
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
- "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"
keycloak:
image: [quay.io/keycloak/keycloak:24.0](http://quay.io/keycloak/keycloak:24.0)
container_name: keycloak
hostname: keycloak
environment:
- KC_HOSTNAME_STRICT=false
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloakdb/keycloak
- KC_DB_URL_PORT=5432
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=password
- KC_DB_SCHEMA=public
- KC_LOG_LEVEL=info
- KC_FEATURES=docker
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_PROXY=edge
networks:
- mynetwork
depends_on:
- traefik
- keycloakdb
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.mydomain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
events:
image: ${DOCKER_REGISTRY-}eventsapi
build:
context: .
dockerfile: Events/Events.Api/Dockerfile
ports:
- "8080"
environment:
- "EventBusSettings:HostAddress=amqp://guest:guest@rabbitmq:5672"
labels:
- "traefik.enable=true"
- "traefik.http.routers.events.rule=Host(`api.dev.mydomain.com`) && PathPrefix(`/api/events`)"
- "traefik.http.routers.events.middlewares=forwardauth"
networks:
- mynetwork
depends_on:
- traefik
- mongodb
- rabbitmq
couldn't find how to edit the original post but here is my code
Yaml is space sensitive, this seems wrong.
Just copied it from the post.... thats why if you really want me to I can make one where the identations are perfect
Traefik is not a "no-effort" solution.
version: '3.4'
secrets:
cloudflare-token:
file: "./secrets/cloudflare-token.secret"
cloudflare-email:
file: "./secrets/cloudflare-email.secret"
services:
traefik:
image: "traefik:v2.11"
restart: always
container_name: "traefik"
networks:
- mynetwork
command:
- "--log.level=DEBUG"
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --api.dashboard=true
#- --insecureSkipVerify=true
# Set up LetsEncrypt certificate resolver
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
- --certificatesresolvers.letsencrypt.acme.email=[myemail]@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
# staging environment of LE, remove for real certs
#- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
# Set up an insecure listener that redirects all traffic to TLS
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# - --entrypoints.websecure.http.middlewares=traefik-forward-auth
# Set up the TLS configuration for our websecure listener
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=[mydomain.com](http://mydomain.com)
- --entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.com
secrets:
- "cloudflare-token"
- "cloudflare-email"
environment:
- "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token"
- "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email"
ports:
- "80:80"
- "443:443"
volumes:
- "./certs:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.dev.mydomain.com`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=user:{SHA}Et6pb+wgWTVmq3VpLJlJWWgzrck="
paste-bin:
container_name: paste-bin
image: ghcr.io/enchant97/hasty-paste:latest
restart: unless-stopped
depends_on:
- traefik-forward-auth
networks:
- mynetwork
labels:
- "traefik.enable=true"
- 'traefik.http.routers.paste.rule=Host(`paste.dev.mydomain.com`)'
- "traefik.http.routers.paste.entrypoints=websecure"
- "traefik.http.routers.paste.tls.certresolver=letsencrypt"
- "traefik.http.routers.paste.middlewares=forwardauth"
traefik-forward-auth:
image: mesosphere/traefik-forward-auth
container_name: traefik-forward-auth
restart: on-failure
depends_on:
- traefik
- keycloak
environment:
- TZ=Europe/Berlin
- SECRET=secret
- PROVIDER_URI=https://keycloak.dev.mydomain.com/realms/myrealm
- CLIENT_ID=flutter-client
- CLIENT_SECRET=secrettt
- COOKIE_DOMAIN=https://dev.mydomain.com
- DISABLE_SSL_VERIFICATION=true
- INSECURE_COOKIE=1
- ENCRYPTION_KEY=key
- SCOPE=profile email openid
networks:
- mynetwork
labels:
- "traefik.enable=true"
- "traefik.docker.network=web"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
- "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"
keycloak:
image: quay.io/keycloak/keycloak:24.0
container_name: keycloak
hostname: keycloak
environment:
- KC_HOSTNAME_STRICT=false
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloakdb/keycloak
- KC_DB_URL_PORT=5432
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=password
- KC_DB_SCHEMA=public
- KC_LOG_LEVEL=info
- KC_FEATURES=docker
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_PROXY=edge
networks:
- mynetwork
depends_on:
- traefik
- keycloakdb
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.mydomain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
events:
image: ${DOCKER_REGISTRY-}eventsapi
build:
context: .
dockerfile: Events/Events.Api/Dockerfile
ports:
- "8080"
environment:
- "EventBusSettings:HostAddress=amqp://guest:guest@rabbitmq:5672"
labels:
- "traefik.enable=true"
- "traefik.http.routers.events.rule=Host(`api.dev.mydomain.com`) && PathPrefix(`/api/events`)"
- "traefik.http.routers.events.middlewares=forwardauth"
networks:
- mynetwork
depends_on:
- traefik
- mongodb
- rabbitmq
hope this helps ^^
How do you define the Docker network?
Note: I would get rid of all those depends_on, that doesn’t work when scaling beyond one machine. And when one service fails, nothing works anymore.
networks:
mynetwork:
driver: bridge
volumes:
mongo-data:
keycloakdata:
elasticsearch-data:
Some data might not have been shown on the previous parts, tried to not use parts that are not relevant
Why would you get rid of depends_on? I mean which one wouldn't work? My services do rely on them in my opinion that's why I put depends_on but I guess thats irrelevant for my original question what so ever.