/traefik-idc-demo

Proof of concept for lua-resty-openidc as a Traefik forward auth server

Primary LanguageLuaCreative Commons Zero v1.0 UniversalCC0-1.0

traefik-idc-demo

BackgroundDemo

NOTE: This repository contains a submodule pointing to my fork of lua-resty-openidc. Please run git submodule update --init --recursive after cloning the repository OR use the --recurse-submodules flag when cloning.

In its current state, the provided compose files are for reference only, taking into account a more complicated setup specific to my server that is also hosting the demo, and therefore will not work anywhere else without modification.

The auth.lua script was written to slightly modularise the added authentication bypass functionality (WIP; disabled with examples) where the forward auth server can skip the OIDC authentication based on the client IP and requested domain. Alternatively, the configuration can be inserted directly into default.conf as per the official instructions, with careful adaptation of the HTTP status codes handling required for forward auth servers.

Compose files

docker-compose.yml [Tested] [Active]

  • Expects an external Traefik container that is watching Docker changes; needs network access to OpenResty.
  • Includes its own OpenResty instance as the forward auth server; needs internet access to the identity provider.
  • Includes an internal Traefik container that is currently set up to run behind another external Traefik container, where the latter provides ACME/TLS termination. The command gives an idea of the minimal configuration required for Traefik.
  • In production, both Traefik and the OpenResty auth server would likely be external. This provides an example of solely the configuration required for a protected service and is closest to what I have experimentally deployed.

Live demo

Visit the protected endpoint and login with test:test.