June 8, 2020
As part of our strive to improve security we recently decided to add authentication to some of our docker containers.
We use Traefik, and I found this great blog: “Integrating Google OAuth with Traefik” that uses the project, “Traefik Forward Auth”, to add Google authentication for Traefik.
That blog was a great help, and showed us it was possible, but we did things a little differently. They use ‘Auth Host Mode’ whereas we went with ‘Overlay Mode’. The difference is explained in the read-me, but essentially, every domain we want to authorize has to be added to Google (which isn't a problem when you're only using one).
Creating the Google auth app is fairly straightforward, and the blog above does a great job explaining it. We added ours to our organisation and kept it ‘internal’.
Here's where things change. Our setup is a little different, first in our traefik.yml we added to the entrypoints:
I then created a new file for the auth forwarding, rather than adding it to the Traefik config. I called it oauth.yml and put the following in it:
LIFETIME: 2592000 # 30 days
The 'CLIENT-ID' and 'CLIENT-SECRET' are provided by Google. The 'RANDOMLY-GENERATED-SECRET' can be generated from a terminal with "openssl rand -hex 16" or any other random hex generator. 'COOKIE_DOMAIN' is your domain i.e. example.com, and 'DOMAIN' is your e-mail domain, alternatively you can use the whitelist option for emails you want to have access.
Finally, for you service to have authentication, just add these lines under ‘labels’:
Now, after everything is deployed, when we go to our service “app.example.com", we will be redirected to Google. After successfully logging in, we will be redirected again to our app!
Experienced developer in various languages, currently a product owner of nerd.vision leading the back end architecture.