Now that we have Traefik deployed, automatically exposing SSL access to our Docker Swarm services using LetsEncrypt wildcard certificates, let's pause to consider that we may not want some services exposed directly to the internet...
Thanks for the excellent write-up!
In the conditions you mention for the workaround, authentication is required for the whole domain. Is there a way to scope it to authenticate only the subdomain and all paths for it?
Imagine I want to run a multitenant authentication setup, and authenticate customerA to customerA.example.com/…
and customerB to customerB.example.com/…, without allowing them access to the endpoints associated with another customers subdomain.
Is this supported?
Yes, I’m doing this for a client, although we use Kubernetes. So each tenant gets an isolated namespace, and each tenant gets their own instance of TFA customized for their OIDC config. We define middleware per-tenant, and apply this middleware to all the services for their domain.
What I like about this solution is there are multiple levels of “locking down”… i.e., it’s impossible to misconfigure a TFA and accidentally give tenantA access to tenantB’s services, since by the time the traffic hits tenantA’s TFA, it’s not able to go anywhere else 
It might seem wasteful to run a TFA per-tenant, but in practice, as measured, TFA consumes 0.001 vCPU and 8Mi RAM, so we’re not bothered!
Thats great, I had been hoping to do pretty much the same thing.
Do you still use the mesosphere TFA, or can you make do with the middleware that has seemingly been built into Traefik?
Ooh, I’m still using GitHub - thomseddon/traefik-forward-auth: Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy actually… TIL!
I don’t know what middleware Traefik itself has, I thought it’s “ForwardAuth” middleware was basically just the thing you pointed at an external endpoint to perform the auth (like TFA)