Code Monkey home page Code Monkey logo

traefik-auth-cloudflare's Introduction

traefik-auth-cloudflare

Forward auth server to verify Cloudflare Access JWT tokens with traefik

GitHub release docker hub

Description

traefik-auth-cloudflare is designed to be a forward auth server for traefik and Cloudflare Access.

When forwarding a user's request to your application, Cloudflare Access will include a signed JWT as a HTTP header. This JWT needs to be authenticated to ensure the request has been signed by Cloudflare and has gone through their servers.

Documentation on how to validate the JWT can be found here https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.

Using traefik-auth-cloudflare, you can configure your traefik instance to correctly authenticate cloudflare requests, and you can serve multiple authenticated applications from a single instance.

Example

Look into the example directory to find example docker-compose.yml and traefik.toml files.

How to use

  • Start an instance of traefik-auth-cloudflare in the same docker network as traefik. ideally this is a distinct network from your applications.
# create network for traefik->traefik-auth-cloudflare communication

$ docker network create traefik-auth

# start traefik-auth-cloudflare (default port is 8080)
# you need to set the auth domain you configured on cloudflare

$ docker run -d --network traefik-auth --name traefik-auth-cloudflare akohlbecker/traefik-auth-cloudflare --auth-domain https://foo.cloudflareaccess.com

# add traefik to your `traefik-auth` docker network (left to the reader)

$ docker network connect traefik-auth TRAEFIK_CONTAINER
  • Configure your router to authenticate requests using traefik-auth-cloudflare
# start your app with auth settings
# the Application Audience (aud) tag needs to be set as an URL parameter: `/auth/{audience}`

$ docker run \
  --label "traefik.http.routers.myapp.middlewares=myapp-auth@docker" \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.address=http://traefik-auth-cloudflare:8080/auth/a83fd537ee93f21e86e51ab3c88f84ef07fd388865c7d0c3236947a8cf79daf5" \
  ....
  • Optionally, configure traefik to forward the authenticated user header to your application
# start your app with auth user forward
# the http header is `X-Auth-User`

$ docker run \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.authResponseHeaders=X-Auth-User" \
  ....

traefik-auth-cloudflare's People

Contributors

adrienkohlbecker avatar bojanzelic avatar ciffelia avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

bevancoleman valenvb seanturner83 fhriley bojanzelic ciffelia caevv davifrossard renlord dashflo liamdawson ndejong jasongill

traefik-auth-cloudflare's Issues

Can I see more detailed logs somewhere?

Is there any way to tell if I am hitting the traefik-auth-cloudflare service? It just shows the following in the logs:

Authentication domain: https://{domain}.cloudflareaccess.com
2022/01/20 14:21:53 Listening on :8080

I can't figure out if my problem is access is denied, or it is because my connection to the auth service is not correct.

I fixed this. I was running the service on an internal docker network, and traefik was not able to access it on the hostname. Putting the service in the overlay network that traefik is using made it work perfectly. I think this might be a swarm specific problem, but I am not sure.

Thanks for this tool!

Can't `go install` the binary

When attempting to build an image that uses this utility, I ran into an error when trying to install it via go install:

$ docker run --rm -it golang:1.18-alpine3.15 /bin/sh
$ go install github.com/adrienkohlbecker/[email protected]
go: downloading github.com/adrienkohlbecker/traefik-auth-cloudflare v0.0.0-20210816090815-389b9d8fbfa4
go: github.com/adrienkohlbecker/[email protected]: github.com/adrienkohlbecker/[email protected]: parsing go.mod:
        module declares its path as: github.com/ciffelia/traefik-auth-cloudflare
                but was required as: github.com/adrienkohlbecker/traefik-auth-cloudflare

I think #8 broke it at https://github.com/adrienkohlbecker/traefik-auth-cloudflare/pull/8/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R1

Ability to add bypassed urls

Hello,

First of all thank you for this project, I've been using it for some time now and it works very well and does what it's built for.

I think it would be nice to be able to bypass some urls. In my case, I have some programs that have apis. The urls to access those apis are marked as Byassed in Cloudflare Access, However I can't access them when using traefik-auth-cloudflare because there is no token on those requests. I get denied access.

Do you think it would be possible to add exceptions to the check? I know that we would need to input the bypassed urls twice, but at least we could access the apis and validate the token for the rest of the service.

Cheers!

No token on the request

docker compose have the following config:

      - "traefik.backend=my"
      - "traefik.frontend.rule=Host:my.${DOMAINNAME}"
      - "traefik.port=8080"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=my.host"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=false"

      - "traefik.frontend.auth.forward.address=http://traefik-auth-cloudflare/auth/<audience>"
      - "traefik.frontend.auth.forward.authResponseHeaders=X-Auth-User"

Traefik version: 1.7
traefik.toml:

logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[retry]

[file]
  watch = true
  filename = "/etc/traefik/rules.toml"

# Let's encrypt configuration
[acme]
email = "<my-email>" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
  provider = "cloudflare"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "<my-domain>"
[[acme.domains]]
   main = "*.<my-domain>"

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "<my-domain>"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

But I get No token on the request.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.