forked from baron/baron-sso
70 lines
3.7 KiB
YAML
70 lines
3.7 KiB
YAML
services:
|
|
traefik:
|
|
image: traefik:v3.7.5
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./letsencrypt:/letsencrypt
|
|
command:
|
|
- "--api.dashboard=true"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--providers.docker.network=traefik-public"
|
|
- "--entrypoints.web.address=:80"
|
|
- "--entrypoints.websecure.address=:443"
|
|
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
|
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
|
|
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
|
|
- "--certificatesresolvers.myresolver.acme.email=${TRAEFIK_ACME_EMAIL:-admin@hmac.kr}"
|
|
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik-dashboard.rule=Host(`${TRAEFIK_DASHBOARD_HOST:-traefik.brsw.kr}`)"
|
|
- "traefik.http.routers.traefik-dashboard.service=api@internal"
|
|
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
|
|
- "traefik.http.routers.traefik-dashboard.middlewares=auth-forward@docker"
|
|
networks:
|
|
- traefik-public
|
|
|
|
forward-auth:
|
|
image: thomseddon/traefik-forward-auth:2.2.0
|
|
container_name: forward-auth
|
|
restart: unless-stopped
|
|
environment:
|
|
- LOG_LEVEL=${TRAEFIK_FORWARD_AUTH_LOG_LEVEL:-info}
|
|
- DEFAULT_PROVIDER=generic-oauth
|
|
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/auth
|
|
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/token
|
|
- PROVIDERS_GENERIC_OAUTH_USER_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/userinfo
|
|
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${TRAEFIK_FORWARD_AUTH_CLIENT_ID:-traefik-forward-auth}
|
|
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${TRAEFIK_FORWARD_AUTH_CLIENT_SECRET}
|
|
- PROVIDERS_GENERIC_OAUTH_SCOPE=openid profile email
|
|
- SECRET=${TRAEFIK_FORWARD_AUTH_COOKIE_SECRET}
|
|
- AUTH_HOST=${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}
|
|
- COOKIE_DOMAIN=${TRAEFIK_COOKIE_DOMAIN:-brsw.kr}
|
|
- URL_PATH=${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}
|
|
- INSECURE_COOKIE=${TRAEFIK_FORWARD_AUTH_INSECURE_COOKIE:-false}
|
|
- LIFETIME=${TRAEFIK_FORWARD_AUTH_LIFETIME:-43200}
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.services.forward-auth.loadbalancer.server.port=4181"
|
|
- "traefik.http.middlewares.auth-forward.forwardauth.address=http://forward-auth:4181"
|
|
- "traefik.http.middlewares.auth-forward.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.auth-forward.forwardauth.authResponseHeaders=X-Forwarded-User"
|
|
- "traefik.http.routers.forward-auth.rule=Host(`${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}`) && PathPrefix(`${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}`)"
|
|
- "traefik.http.routers.forward-auth.entrypoints=websecure"
|
|
- "traefik.http.routers.forward-auth.tls.certresolver=myresolver"
|
|
networks:
|
|
- traefik-public
|
|
|
|
networks:
|
|
traefik-public:
|
|
external: true
|
|
name: traefik-public
|