initial commit

Dockerfile

@@ -0,0 +1,20 @@
+FROM golang:1.10-alpine as builder
+
+# Setup
+RUN mkdir /app
+WORKDIR /app
+
+# Add libraries
+RUN apk add --no-cache git && \
+  go get "github.com/namsral/flag" && \
+  go get "github.com/op/go-logging" && \
+  apk del git
+
+# Copy & build
+ADD . /app/
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix nocgo -o /traefik-forward-auth .
+
+# Copy into scratch container
+FROM scratch
+COPY --from=builder /traefik-forward-auth ./
+ENTRYPOINT ["./traefik-forward-auth"]

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) [2018] [Thom Seddon]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,64 @@
+
+# Traefik Forward Auth
+
+A minimal forward authentication service that provides Google oauth based login and authentication for the traefik reverse proxy.
+
+
+## Why?
+
+- Seamlessly overlays any http service with a single endpoint (see: `-url-path` in [Configuration](#configuration))
+- Supports multiple domains/subdomains
+- Allows authentication to persist across multiple domains (see [Cookie Domains](#cookie-domains))
+- Supports extended authentication beyond Google token lifetime (see: `-lifetime` in [Configuration](#configuration))
+
+## Quick Start
+
+See the (examples) directory for example docker compose and traefik configuration files that demonstrates the forward authentication configuration for traefik and passing required configuration values to traefik-forward-auth.
+
+## Configuration
+
+The following configuration is supported:
+
+
+|Flag                   |Type  |Description|
+|-----------------------|------|-----------|
+|-client-id|string|*Google Client ID (required)|
+|-client-secret|string|*Google Client Secret (required)|
+|-config|string|Path to config file|
+|-cookie-domains|string|Comma separated list of cookie domains|
+|-cookie-name|string|Cookie Name (default "_forward_auth")|
+|-cookie-secret|string|*Cookie secret (required)|
+|-cookie-secure|bool|Use secure cookies (default true)|
+|-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
+|-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
+|-domain|string|Comma separated list of email domains to allow|
+|-lifetime|int|Session length in seconds (default 43200)|
+|-url-path|string|Callback URL (default "_oauth")|
+
+Configuration can also be supplied as environment variables (use upper case and swap `-`'s for `_`'s e.g. `-client-id` becomes `CLIENT_ID`)
+
+Configuration can also be supplied via a file, you can specify the location with `-config` flag, the format is `flag value` one per line, e.g. `client-id your-client-id`)
+
+## OAuth Configuration
+
+Head to https://console.developers.google.com & make sure you've switched to the correct email account.
+
+Create a new project then search for and select "Credentials" in the search bar. Fill out the "OAuth Consent Screen" tab.
+
+Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
+
+## Cookie Domains
+
+You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.
+
+For example, if cookie domain is `test.com` and a request comes in on `app1.test.com`, the cookie will be set for the whole `test.com` domain. As such, if another request is forwarded for authentication from `app2.test.com`, the original cookie will be sent and so the request will be allowed without further authentication.
+
+Beware however, if using cookie domains whilst running multiple instances of traefik/traefik-forward-auth for the same domain, the cookies will clash. You can fix this by using the same `cookie-secret` in both instances, or using a different `cookie-name` on each.
+
+## Copyright
+
+2018 Thom Seddon
+
+## License
+
+[MIT](https://github.com/thomseddon/traefik-forward-auth/blob/master/LICENSE.md)

example/docker-compose.yml

@@ -0,0 +1,37 @@
+version: '3'
+
+services:
+  traefik:
+    image: traefik
+    command: -c /traefik.toml --logLevel=DEBUG
+    ports:
+      - "8085:80"
+      - "8086:8080"
+    networks:
+      - traefik
+    volumes:
+      - ./traefik.toml:/traefik.toml
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  whoami1:
+    image: emilevauge/whoami
+    networks:
+      - traefik
+    labels:
+      - "traefik.backend=whoami"
+      - "traefik.enable=true"
+      - "traefik.frontend.rule=Host:whoami.localhost.com"
+
+  forward-oauth:
+    image: thomseddon/traefik-forward-auth
+    environment:
+      - CLIENT_ID=your-client-id
+      - CLIENT_SECRET=your-client-secret
+      - COOKIE_SECRET=something-random
+      - COOKIE_SECURE=false
+      - DOMAIN=yourcompany.com
+    networks:
+      - traefik
+
+networks:
+  traefik:

example/traefik.toml

@@ -0,0 +1,136 @@
+################################################################
+# Global configuration
+################################################################
+
+# Enable debug mode
+#
+# Optional
+# Default: false
+#
+# debug = true
+
+# Log level
+#
+# Optional
+# Default: "ERROR"
+#
+# logLevel = "DEBUG"
+
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+
+################################################################
+# Entrypoints configuration
+################################################################
+
+# Entrypoints definition
+#
+# Optional
+# Default:
+[entryPoints]
+    [entryPoints.http]
+    address = ":80"
+
+    [entryPoints.http.auth.forward]
+    address = "http://forward-oauth:4181"
+
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+# [traefikLog]
+
+# Sets the filepath for the traefik log. If not specified, stdout will be used.
+# Intermediate directories are created if necessary.
+#
+# Optional
+# Default: os.Stdout
+#
+# filePath = "log/traefik.log"
+
+# Format is either "json" or "common".
+#
+# Optional
+# Default: "common"
+#
+# format = "common"
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# [accessLog]
+
+# Sets the file path for the access log. If not specified, stdout will be used.
+# Intermediate directories are created if necessary.
+#
+# Optional
+# Default: os.Stdout
+#
+# filePath = "/path/to/log/log.txt"
+
+# Format is either "json" or "common".
+#
+# Optional
+# Default: "common"
+#
+# format = "common"
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+[api]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  # dashboard = false
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+[ping]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+################################################################
+# Docker configuration backend
+################################################################
+
+# Enable Docker configuration backend
+[docker]
+exposedByDefault = false