I build a structure to deploy review-apps that should get picked up by Traefik and routed accordingly (this works well with the docker provider and labels). A second requirement is to secure the apps with out SSO. So I setup a Oauth Proxy in front of Traefik to secure all apps at once.
The whole flow looks like this:
client -> auth-proxy -> traefik -> app1 -> app2 ....
The auth-proxy is the only container with ports mapped outside the docker-network and is the entrypoint.
It has the service-name
traefik configured as upstream. This creates a problem that the Host-Header for Traefik is always just
traefik, no matter the original Host-Header. The correct Host is in X-Forwarded-For-Host.
After studying the documentation intensively I have not found a solution to create Routing Rules based on the Forwarded Host. Is that such a bad idea?
If I would switch around auth-proxy and traefik, I would have to create a new proxy for every instance of the app which seems a lot more complicated.