Now that we have Traefik deployed, automatically exposing SSL access to our Docker Swarm services using LetsEncrypt wildcard certificates, let's pause to consider that we may not want some services exposed directly to the internet...
This is a companion discussion topic for the original entry at https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/
From my Point of view the foward-auth offers a wider variety of whitelist options EG whitelist by email, by IP even with certain time of the day. And it looks nicer than oauth. As far as I know both will work fine though
Some changes to the env variable names in the example for the traefik-forward-auth version used here (2.1.0). These two will break the container unless changed:
GOOGLE_CLIENT_ID becomes PROVIDERS_GOOGLE_CLIENT_ID
GOOGLE_CLIENT_SECRET becomes PROVIDERS_GOOGLE_CLIENT_SECRET
This one will raise a warning in the logs that its depreciated, but wont break it (yet, at 2.1.0):
COOKIE_DOMAINS becomes COOKIE_DOMAIN
link to “Forward Authentication” has changed, now it’s https://docs.traefik.io/middlewares/forwardauth/
I’m trying to setup kc with traefik proxy for applications that aren’t able to authenticate users themselves.
But I have issues. I’ve described them here (redirects loop between proxy and keycloak), please take a look:
Many thanks in advance.