Hi Guys,
traefik is a greate service!
I solved all of my problems by myself, but i have a problem i need your support now.
I'm working on a simple REST Endpoint with an AngularJS Frontend. To protect the REST Endpoint i integrated an oauth2 middleware to verify the cookie and handle the sign-in process.
https://github.com/pusher/oauth2_proxy
Everything locks good and works so far. The only problem is the redirect after succesful login.
I attached a minimal example to explain my problem. I added the oauth2 proxy and the whoami contaier protected via the oauth2 proxy.
version: '3.7'
services:
traefik:
image: 'traefik:cantal'
restart: unless-stopped
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.defaultRule=Host(`{{ index .Labels "ai.ix.fqdn"}}`)
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
- --certificatesresolvers.mytlschallenge.acme.email=postmaster@continental.cloud
- --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
labels:
traefik.enable: 'true'
traefik.http.middlewares.default-compress.compress: 'true'
traefik.http.middlewares.default-http.redirectScheme.scheme: https
traefik.http.middlewares.default-http.redirectScheme.permanent: 'true'
traefik.http.middlewares.default-https.chain.middlewares: default-compress
traefik.http.routers.default-redirect.entrypoints: http
traefik.http.routers.default-redirect.middlewares: default-http
traefik.http.routers.default-redirect.rule: "HostRegexp(`{any:.*}`)"
ports:
- '80:80'
- '443:443'
volumes:
- './letsencrypt:/letsencrypt'
- '/var/run/docker.sock:/var/run/docker.sock:ro'
oauth:
image: quay.io/pusher/oauth2_proxy:master
restart: unless-stopped
labels:
ai.ix.expose: 'true'
traefik.enable: 'true'
traefik.http.middlewares.oauth-verify.forwardAuth.address: http://oauth:4180/oauth2/auth
traefik.http.middlewares.oauth-verify.forwardAuth.trustForwardHeader: 'true'
traefik.http.middlewares.oauth-verify.forwardAuth.authResponseHeaders: X-Forwarded-User,X-Auth-Request-Email,Set-Cookie
traefik.http.middlewares.oauth-signin.errors.service: oauth@docker
traefik.http.middlewares.oauth-signin.errors.status: '401'
traefik.http.middlewares.oauth-signin.errors.query: /oauth2/sign_in
traefik.http.routers.oauth.entrypoints: 'https'
traefik.http.routers.oauth.rule: Host(`oauth.${DOMAIN?err}`) || PathPrefix(`/oauth2`)
traefik.http.routers.oauth.tls.certResolver: mytlschallenge
traefik.http.routers.oauth.service: oauth@docker
traefik.http.services.oauth.loadbalancer.server.port: '4180'
environment:
OAUTH2_PROXY_CLIENT_ID: '${OAUTH2_PROXY_CLIENT_ID?err}'
OAUTH2_PROXY_CLIENT_SECRET: '${OAUTH2_PROXY_CLIENT_SECRET?err}'
OAUTH2_PROXY_COOKIE_DOMAIN: '.${DOMAIN?err}'
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
OAUTH2_PROXY_COOKIE_SECURE: 'true'
OAUTH2_PROXY_COOKIE_SECRET: '${OAUTH2_PROXY_COOKIE_SECRET?err}'
OAUTH2_PROXY_EMAIL_DOMAINS: '*'
OAUTH2_PROXY_FOOTER: '-'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
OAUTH2_PROXY_PROVIDER: 'OIDC'
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
OAUTH2_PROXY_WHITELIST_DOMAIN: '.${DOMAIN?err}'
OAUTH2_PROXY_LOGIN_URL: 'https://${OIDC_DOMAIN?err}/oauth2/authorize'
OAUTH2_PROXY_PROFILE_URL: 'https://${OIDC_DOMAIN?err}/oauth2/userInfo'
OAUTH2_PROXY_REDEEM_URL: 'https://${OIDC_DOMAIN?err}/oauth2/token'
OAUTH2_PROXY_SCOPE: 'openid'
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: 'GenericPayment Login'
whoami2:
image: containous/whoami
restart: unless-stopped
labels:
ai.ix.fqdn: api.${DOMAIN?err}
traefik.enable: 'true'
traefik.http.services.whoami2.loadbalancer.server.port: '80'
traefik.http.routers.whoami2.entrypoints: https
traefik.http.routers.whoami2.middlewares: oauth-signin,oauth-verify,default-https
traefik.http.routers.whoami2.rule: Host(`api.${DOMAIN?err}`) && PathPrefix(`/whoami`)
traefik.http.routers.whoami2.tls.certResolver: mytlschallenge
go to api.${DOMAIN}/whoami
redirects to the oauth login page and store the cookie. But the redirect after login is to
api.${DOMAIN}
instead of
api.${DOMAIN}/whoami
.
If i add a new middleware to the service:
traefik.http.routers.whoami2.middlewares: redirect-header,oauth-signin,oauth-verify,default-https
traefik.http.middlewares.redirect-header.headers.customrequestheaders.X-Auth-Request-Redirect: /whoami
the redirect works but only for given static url, /whoami
In nginx there is a runtime varialbe $request_uri
which can be used to set the header value.
Is there a similar variable or setting in traefik available? Does somebody have experience with such oauth2 middleware and can give me some hints and tipps how i can fix my redirect probelm?
Thanks for your help and have a nice day!