What about Traefik Proxy middleware

I've been using Traefik Proxy for quite a while and have set up middleware to add security to my published applications - Basic Auth and OIDC (forward auth to keycloak) - with this I have ended up with a 500 line docker compose file as well as many yaml config files for my published services. I am very keen to find a simpler way to manage the config and to monitor what is running and what is not. So far, the Traefik Hub looks like you are going in that direction. Keep up the excellent work!!!

For my use cases I would consider these as requirements:

  • custom domain (I'm using Let's Encrypt to provision certs / cloud flare DNS api)

  • internal authentication service. I use keycloak / traefik-forward-auth. This needs to be an internal service as my internet connection is not 100% reliable and my internal services rely on authentication too. Please add my vote OIDC authentication access control to your to do list.

  • token based access - I never succeeded in get bearer tokens to work - and I want publish some api's securely in my next developments

  • dashboard could hopefully show the availability of services in addition to traffic stats, and perhaps configurable alerts.

Steve

Hello @stevegroom,

thanks for your interest :slight_smile:

Let me go trough your requirements quickly:

  • Custom domains is in active development and will be available soon-ish
  • You are reffering to OIDC as a seperate Access Control Policy. Am I right?
  • KInda like an API Key authentication? Where Hub manages the keys?
  • How would you define availaiblity? Like, responding to ping requests or I dont know?

Does that help? Eager to learn more about those feature requests :slight_smile:

Hi @SantoDE
for OIDC the basic requirement is a central authentication service that supports user interactive and key based authentication - OAUTH, OIDC, whatever - my current use cases all authenticate via Traefik. Due to rural internet connections, the service needs to run within the network. If access control were part of traefik, It'd still fit my use case.

Similarly for managing keys - hub could manage keys as long as they can be cached locally.

Availability - I'm currently creating a monitor with NodeRed - give it a URL and credentials and check HTTP response and response time. I expect I'll extend that with a regex match on the response body as an enhancement.

My local network router is defined in the public DNS as
*.my.domain.com CNAME router.my.domain.com
router.my.domain.com A

I have a docker service regularly checking to see if the assigned IP address has been changed and then calls CloudFlare API to update the DNS.

Currently, if I am inside the network, http://service.my.domain.com resolves to the IP address assigned to the network router which then port forwards to traefik.my.domain.com.

If I am outside the network, the same hostnames and services are available - this is why I think it is key that security be handled locally to provide the same protections for local and published services.

hope this is clearer.
Steve