jamescurtin / traefik-proxy Goto Github PK

One-step (secure) configuration for Traefik edge router.

Makefile 5.20% Dockerfile 3.51% Go 7.55% HTML 75.56% Shell 8.18%

traefik traefik-v2 traefik-configurations traefik-docker traefik-proxy edge-router traefik-dashboard totp u2f sso-authentication

traefik-proxy's Introduction

Traefik-Proxy

One-step (secure) configuration for Traefik edge router using Authelia for authentication.

Features

Keeping in mind security first, this project ensures:

The Docker daemon socket is never mounted to traefik or any container with external networking (See the risks of exposing the Docker daemon)
HTTPS redirection is automatically configured for all routers
TLS is always enabled, even locally (can confidently test new services locally without needing a dev config that differs significantly from prod)
The Traefik dashboard is never launched in insecure mode

Other features include:

Self-hosted SSO authentication (Authelia), including support for security keys and one-time password generators
User-friendly 4XX & 5XX status pages
Pre-configured file provider (for shared routers and middleware) and Docker provider (for everything else)
Centralized configuration via environment variables and Docker secrets

Getting Started

Quickstart

$ git clone https://github.com/jamescurtin/traefik-proxy.git
$ cd traefik-proxy
$ make

Running make creates an .env file and the authelia/secrets directory. The .env file should be updated to include hostnames for additional hosts that are configured. The authelia/secrets directory contains secrets for configuring all services. If you follow the quickstart and run make, random passwords are generated by default. Otherwise, you must replace the values in authelia/secrets before deploying.

There are additional configuration files that need to be customized before you can deploy in a production environment. All places where customization is necessary are marked with CHANGEME comments.

The command will also create the external docker network traefik. Other docker services that you plan to expose via Traefik should be added to this network.

See the Exploring section for more information.

Users

This is configured to use two-factor auth. When running the project out of the box (i.e. without having configured the SMTP notifier), you will have to check the file authelia/notification.txt to get the registration link for configuring 2FA.

Authelia users are defined in authelia/users.yml.

By default, this ships with two users (both have the password insecure). One is a member of a group called admin, and the other has no group memberships. See the Exploring section to see how group membership can be used for access control.

Creating a user

You will need to create a new user and add them to authelia/users.yml. As a convenience, you can run the command

$ bin/create-new-user
Enter username:
...

which will prompt for the user's information, and add an entry to the user file (with a hashed password).

Make sure to remove the default users before deploying!

Exploring

Note: When run locally (e.g. on localhost), Traefik uses a self-signed SSL certificate. Therefore, web-browser security warnings are expected and can be safely bypassed. When deployed on any other domain, it will use Let's Encrypt certificates.

To explore, navigate to:

https://traefik.docker.localhost (Traefik configuration dashboard)
- Requires login: see the Users section for more information.
https://whoami.docker.localhost ("Hello world" example)
https://secure.docker.localhost ("Hello world" example demonstrating ACLs and 2FA)
- See the Users section for more information about the default users.
- See the access_control section of authelia/configuration.yml to understand how access is configured.
- First, attempt to log in with the user user-changeme. Access should be denied, because the user isn't a member of the required group
- Next, go to auth.docker.localhost and log out.
- Then, go back to secure.docker.localhost to log in with user admin-changeme. Access should be granted, based on user group.
  - See the Users section for information on how 2FA is configured by default.
https://auth.docker.localhost (SSO Auth service)
https://traefik.docker.localhost/nonexistent (This page doesn't exist, and is therefore re-routed to a custom error page)

Testing

Run the test suite locally via

.github/scripts/test.sh

traefik-proxy's People

Contributors

Stargazers

Watchers

Forkers

roostaq jlcummings sleepergithub karunacybozu alexseysua alec-desperado

traefik-proxy's Issues

make fails during the docker build phase of handle-errors using Go v1.16

Running make results in a build failure, using
Go: go version go1.16.2 linux/amd64

49a2b4b8f08b8bb57b6e826a4888dff36a607e33b8a779a76b06d534b3897acb
Created network traefik
Building docker images...
redis uses an image, skipping
whoami uses an image, skipping
docker-socket-proxy uses an image, skipping
openldap uses an image, skipping
postgres uses an image, skipping
authelia uses an image, skipping
traefik uses an image, skipping
Building handle-errors
[+] Building 38.1s (10/14)
 => [internal] load build definition from Dockerfile                                   0.1s
 => => transferring dockerfile: 662B                                                   0.0s
 => [internal] load .dockerignore                                                      0.1s
 => => transferring context: 2B                                                        0.0s
 => [internal] load metadata for docker.io/library/golang:alpine                       3.3s
 => [auth] library/golang:pull token for registry-1.docker.io                          0.0s
 => [builder 1/5] FROM docker.io/library/golang:alpine@sha256:3411aef9ae9cb0fe3534fe  31.8s
 => => resolve docker.io/library/golang:alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a974  0.0s
 => => sha256:12d5f94cd4d2840e538e82e26a5dfddf711b30cc98a9f6e01bcf65d 1.36kB / 1.36kB  0.0s
 => => sha256:19b59f0222410f71faae89932a13c75635f147de093c7a014931f50 5.18kB / 5.18kB  0.0s
 => => sha256:448433d692de67fadc3e270369294f10bbc32683e28e4144e7d 281.27kB / 281.27kB  0.3s
 => => sha256:7c2a3d42746fcfc7f036d78c91f23a708eccc332efd705161238e6aafc5 153B / 153B  0.2s
 => => sha256:f6d283d788a6f5f59325116bda7d61102a1bc7f74d902d617e 105.69MB / 105.69MB  21.7s
 => => sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff1054 1.65kB / 1.65kB  0.0s
 => => sha256:757f90a0dc844e1ca0ce652556adf5fddaaab3b13d949b52fc384525af8 156B / 156B  0.4s
 => => extracting sha256:448433d692de67fadc3e270369294f10bbc32683e28e4144e7d2d2fedbf6  0.8s
 => => extracting sha256:7c2a3d42746fcfc7f036d78c91f23a708eccc332efd705161238e6aafc55  0.0s
 => => extracting sha256:f6d283d788a6f5f59325116bda7d61102a1bc7f74d902d617ed62cf90c58  9.3s
 => => extracting sha256:757f90a0dc844e1ca0ce652556adf5fddaaab3b13d949b52fc384525af8c  0.0s
 => [internal] load build context                                                      0.1s
 => => transferring context: 15.21kB                                                   0.0s
 => [builder 2/5] RUN adduser     --disabled-password     --gecos ""     --home "/non  2.1s
 => [builder 3/5] WORKDIR /go/src                                                      0.1s
 => [builder 4/5] COPY main.go ./                                                      0.1s
 => ERROR [builder 5/5] RUN CGO_ENABLED=0 go build     -ldflags='-w -s -extldflags "-  0.4s
------
 > [builder 5/5] RUN CGO_ENABLED=0 go build     -ldflags='-w -s -extldflags "-static"' -a     -o /go/bin/serve .:
#10 0.415 go: go.mod file not found in current directory or any parent directory; see 'go help modules'
------
executor failed running [/bin/sh -c CGO_ENABLED=0 go build     -ldflags='-w -s -extldflags "-static"' -a     -o /go/bin/serve .]: exit code: 1
ERROR: Service 'handle-errors' failed to build
make: *** [Makefile:14: .build] Error 1

Go as of v1.11 appears to understand and by default require a go.mod file describing the module being built to eliminate the need of the $GOPATH. As a non-expert in Go, it appears between v1.11 and v1.16, $GO111MODULE could be used to circumvent the default expectation; however, going forward with v1.17 it seems like that will no longer be an option.

New module changes in Go 1.16

Perhaps addressing this would suggest the need for a separate repository for the error handler. However, for purposes of demonstration, even if not best practice, simply adding a basic module definition file and referencing in the necessary build step of the handle-errors/Dockerfile would be sufficient. In my local environment that seems to be enough to allow the project to again build with my tool-chain and nominally exercise the expected features. I'll offer a pull request shortly.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

docker-compose

docker-compose.labels.yml

docker-compose.yml

authelia/authelia 4.38.10

tecnativa/docker-socket-proxy 0.2.0

postgres 16.4-alpine

redis 7.4.0-alpine

traefik v3.1.2

traefik/whoami v1.10

traefik/whoami v1.10

dockerfile

handle-errors/Dockerfile

golang 1.22-alpine

github-actions

.github/workflows/lint.yaml

actions/checkout v4.1.7

actions/setup-python v5

actions/checkout v4.1.7

ludeeus/action-shellcheck 2.0.0

actions/checkout v4.1.7

actions/setup-go v5

.github/workflows/test.yaml

actions/checkout v4.1.7

gomod

handle-errors/go.mod

go 1.19

Check this box to trigger a request for Renovate to run again on this repository