I have created a working traefik-keycloak forward auth sample

Astrohelo · April 16, 2024, 9:14pm

I had months of truble with this hope it will help some of you. Disclaimer: I needed a domain on cloudflare. Probably this is solvable in localhost as well will try later that as well.
https://github.com/Astrohelo/traefik-forward-auth-keycloak
I also put here my docker-compose here:

version: '3.4'
# this video helps with cloudflare setup https://www.youtube.com/watch?v=Ivxk6SuItbU&ab_channel=TechwithMarco 
secrets:
  cloudflare-token:
    file: "./secrets/cloudflare-token.secret" 
  cloudflare-email:
    file: "./secrets/cloudflare-email.secret"    
   
services:
  traefik:
    image: "traefik:v2.11"
    restart: always
    container_name: "traefik"
    networks:
      - mynetwork
    command:
      - "--log.level=DEBUG"
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --api.dashboard=true
      # Set up LetsEncrypt certificate resolver
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesResolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
      - --certificatesresolvers.letsencrypt.acme.email=youremail@gmail.com # CHANGE HERE
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      # staging environment of LE, remove for real certs
      #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory  - this is the staging url 
      - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      # - --entrypoints.websecure.http.middlewares=traefik-forward-auth
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=yourdomain.org  # CHANGE HERE
      - --entrypoints.websecure.http.tls.domains[0].sans=*.yourdomain.org # CHANGE HERE
    secrets:
      - "cloudflare-token"
      - "cloudflare-email"
    environment:
      - "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token"
      - "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./certs:/letsencrypt" # create folder certs
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.dev.yourdomain.org`)"  # CHANGE HERE
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"      
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:{SHA}EtfyZU+wgWTV563pLJlJWWgyzDSck=" # user is the login name after ":"here i just use an sha coded password so that traefik dashboard is secured as well, you can just delete this if you want or encrypt one password online

  paste-bin:
    container_name: paste-bin
    image: ghcr.io/enchant97/hasty-paste:latest
    restart: unless-stopped
    depends_on:
      - traefik-forward-auth
    networks:
      - mynetwork
    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.paste.rule=Host(`paste.dev.yourdomain.org`)' # CHANGE HERE
      - "traefik.http.routers.paste.entrypoints=websecure"
      - "traefik.http.routers.paste.tls.certresolver=letsencrypt"   
      - "traefik.http.routers.paste.middlewares=forwardauth"  # Add this line to any image to make it use forwardauth

  traefik-forward-auth:
    image: mesosphere/traefik-forward-auth
    container_name: traefik-forward-auth
    restart: on-failure
    depends_on:
      - traefik
      - keycloak
    environment:
      - TZ=Europe/Berlin
      - SECRET=fd92459cd7ygafc2df466sdg3747z43ce0d # CHANGE HERE, random secret
      - PROVIDER_URI=https://keycloak.dev.yourdomain.org/realms/myrealm  # CHANGE HERE , myrealm is a realm i created in keyclak
      - CLIENT_ID=my-client # CHANGE HERE
      - CLIENT_SECRET=wueZ37IOE42Sv3XVqJyhrLX3WIk4y # CHANGE HERE
      - COOKIE_DOMAIN=https://dev.yourdomain.org
      - DISABLE_SSL_VERIFICATION=true # might be unnecessary
      - INSECURE_COOKIE=1
      - ENCRYPTION_KEY=7347373954253633845947936  # CHANGE HERE, random key
      - SCOPE=profile email openid # this is a must!!
    networks:
        - mynetwork
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=web"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
      - "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
      - "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"


  keycloakdb:
    image: postgres:16.2-alpine
    container_name: keycloakdb
    environment:
        - POSTGRES_DB=keycloak
        - POSTGRES_USER=keycloak
        - POSTGRES_PASSWORD=password
        - POSTGRES_ROOT_PASSWORD=password
    networks:
      - mynetwork
    ports:
      - "5432:5432"
    volumes:
      - keycloakdata:/var/lib/postgresql/data
    labels:
      - "traefik.enable=false"

  keycloak:
    image: quay.io/keycloak/keycloak:24.0
    container_name: keycloak
    hostname: keycloak
    environment:
      - KC_HOSTNAME_STRICT=false
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://keycloakdb/keycloak
      - KC_DB_URL_PORT=5432
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=password
      - KC_DB_SCHEMA=public
      - KC_LOG_LEVEL=info
      - KC_FEATURES=docker
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=password
      - KC_PROXY=edge
    networks:
      - mynetwork
    depends_on:
      - traefik
      - keycloakdb
    labels:
        - "traefik.enable=true"
        - "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.yourdomain.org`)" # CHANGE HERE
        - "traefik.http.routers.keycloak.entrypoints=websecure"
        - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]

Topic		Replies	Views
Help with my first setup - beginner Traefik v2 docker	1	345	October 14, 2021
Help me config forward auth (with keycloak) correctly Traefik v2 docker , docker-swarm , middleware	8	888	June 23, 2024
How can a total noob get Traefik configured with Cloudflare wildcard certificate? Traefik v2 docker , letsencrypt-acme	2	1231	August 10, 2023
Cannot get https to work through cloudflare? Traefik v2 docker , letsencrypt-acme	3	931	January 2, 2023
Help with multiple certificate resolvers Traefik v2 letsencrypt-acme	2	3655	August 13, 2022

I have created a working traefik-keycloak forward auth sample

Related Topics