Traefik, Docker-compose and Let'sEncrypt

soubriquet · September 26, 2023, 5:54pm

Thanks for the quick reply.

I tried your suggestion, but I still get the 404 page not found on this route:

https://www.mydomain.com/oauth2/redirect#state=pass-through%20value&access_token=<token>&token_type=Bearer&expires_in=3599&scope=profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/drive.appdata%20https://www.googleapis.com/auth/drive.file

Here is my oauth2-proxy log:

Attaching to backend_oauth2-proxy_1
oauth2-proxy_1    | [2023/09/26 17:50:12] [options.go:82] WARNING: no explicit redirect URL: redirects will default to insecure HTTP
oauth2-proxy_1    | [2023/09/26 17:50:12] [provider.go:55] Performing OIDC Discovery...
oauth2-proxy_1    | [2023/09/26 17:50:12] [providers.go:145] Warning: Your provider supports PKCE methods ["plain" "S256"], but you have not enabled one with --code-challenge-method
oauth2-proxy_1    | [2023/09/26 17:50:12] [proxy.go:89] mapping path "/" => upstream "http://traefik:80"
oauth2-proxy_1    | [2023/09/26 17:50:12] [oauthproxy.go:162] OAuthProxy configured for OpenID Connect Client ID: CLIENT_ID
oauth2-proxy_1    | [2023/09/26 17:50:12] [oauthproxy.go:168] Cookie settings: name:_oauth2_proxy secure(https):false httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled

soubriquet · September 29, 2023, 3:24pm

Here's my updated docker-compose.yml:

version: '3'
services:
  upload:
    image: mydomain-upload:v3-staging
    build:
      context: .
      dockerfile: src/services/upload/Dockerfile.upload
    restart: always
    ports:
      - "8004:8004"
    depends_on:
      - oauth2-proxy
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.upload.entrypoints=websecure"
      - "traefik.http.services.upload.loadbalancer.server.port=8004"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
      - "traefik.http.routers.upload.middlewares=oauth2-proxy,upload-cors"
    environment:
      - MODE=staging
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    networks:
      - proxy
    volumes:
      - /var/log:/var/log
    command:
      - --provider=oidc
      - --email-domain=*
      - --oidc-issuer-url=https://accounts.google.com
      - --cookie-secure=true
      - --cookie-secret=COOKIE_SECRET
      - --client-id=CLIENT_ID
      - --client-secret=CLIENT_SECRET
      - --upstream=http://traefik:80
      - --pass-access-token=true
      - --pass-authorization-header=true
      - --set-authorization-header=true
      - --redirect-url=https://www.mydomain.com/oauth2/redirect
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.oauth2-proxy.rule=(Host(`mydomain.com`) || Host(`www.mydomain.com`)) && PathPrefix(`/oauth2`)"
      - "traefik.http.routers.oauth2-proxy.entrypoints=websecure"
      - "traefik.http.routers.oauth2-proxy.tls.certresolver=myresolver"
  nginx:
    image: mydomain-nginx:v3-staging
    build:
      context: .
      dockerfile: src/static/Dockerfile.nginx.staging
    restart: always
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls.certresolver=myresolver"
  traefik:
    image: traefik:v3.0
    restart: always
    depends_on:
      - oauth2-proxy
      - nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/letsencrypt:/letsencrypt
      - /var/log:/var/log
    command:
      - --providers.docker.network=proxy
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
      - --metrics.prometheus=true
      - --tracing.jaeger=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myrouter.tls.domains[0].main=www.mydomain.com"
      - "traefik.http.routers.myrouter.tls.certresolver=myresolver"
      - "traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)"
      - "traefik.http.routers.mydashboard.entrypoints=websecure"
      - "traefik.http.routers.mydashboard.tls.certresolver=myresolver"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=admin:$$2y$$05$$/hJpV/MlsvaKB9bAWe8nDeq416TAjd9qU4bfs56ibkFU9smKP/O0S"
      - "traefik.http.routers.oauth2-redirect.rule=Host(`www.mydomain.com`) && Path(`/oauth2/redirect`)"
      - "traefik.http.routers.oauth2-redirect.middlewares=oauth2-redirect-rewrite"
      - "traefik.http.middlewares.oauth2-redirect-rewrite.redirectregex.regex=^/oauth2/redirect/(.*)"
      - "traefik.http.middlewares.oauth2-redirect-rewrite.redirectregex.replacement=/$${1}"
      - "traefik.http.middlewares.oauth2-redirect-rewrite.redirectregex.permanent=true"

networks:
  proxy:
    name: proxy

Changes:

Enabled --cookie-secure=true
Added --redirect-url=https://www.mydomain.com/oauth2/redirect
Added traefik.http.middlewares.oauth2-redirect-rewrite... lines

But now after going through Google Auth, I get redirected to a page that says:

The page isn’t redirecting properly

An error occurred during a connection to www.mydomain.com.

    This problem can sometimes be caused by disabling or refusing to accept cookies.

I'm hitting a wall again. Any pointers? @bluepuma77

Also here are my oauth2-proxy docker logs:

sudo docker logs backend_oauth2-proxy_1
[2023/09/29 15:22:08] [provider.go:55] Performing OIDC Discovery...
[2023/09/29 15:22:08] [providers.go:145] Warning: Your provider supports PKCE methods ["plain" "S256"], but you have not enabled one with --code-challenge-method
[2023/09/29 15:22:08] [proxy.go:89] mapping path "/" => upstream "http://traefik:80"
[2023/09/29 15:22:08] [oauthproxy.go:162] OAuthProxy configured for OpenID Connect Client ID: <CLIENT_ID>
[2023/09/29 15:22:08] [oauthproxy.go:168] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled

Also it appears to be a NS_ERROR_REDIRECT_LOOP based on the network requests from the browser console. My server is continuously returning 301 status code and the new location in the location header is the same as the original request URL and there are multiple requests in the log with this status code.

Topic		Replies	Views
Use self-signed certificates with docker/docker-compose Traefik v2 docker	1	2589	March 2, 2020
Modular Docker-Compose for Self-Signed & LetsEncrypt? Traefik v2 docker	0	340	February 23, 2021
Certificate problem letsencrypt Traefik v2 docker , letsencrypt-acme	4	1163	October 3, 2021
Cannot get traefik to work with self-signed certificate - an exception cannot be added for the website Traefik v2 docker	9	2948	October 22, 2021
Docker SSL Certificates Traefik v2 docker	6	5387	September 24, 2019

Traefik, Docker-compose and Let'sEncrypt

Related topics