diff --git a/docs/examples/docker/idp-authentik-traefik/README.md b/docs/examples/docker/idp-authentik-traefik/README.md index 6b0d1b1d..8034ac0f 100644 --- a/docs/examples/docker/idp-authentik-traefik/README.md +++ b/docs/examples/docker/idp-authentik-traefik/README.md @@ -1,8 +1,7 @@ > [!WARNING] > I am unable to guarantee the quality, safety, and security of anything in this folder; it is a combination of examples I found online. Please submit corrections or improvements 🙏 -> [!WARNING] -> does not work yet... if you are able to fix this, please do! +This example should be enough to get things working. I have confirmed this basic config personally. User creation and management work, however once a user is passed through to copy party, manual editing of the config file will be needed to control new users. i.e. anyone you let through your SSO portal will be granted basic/default settings and permissions, unless manually configured otherwise. this is based on: * https://goauthentik.io/docker-compose.yml diff --git a/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf b/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf index b0583696..afdad42f 100644 --- a/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf +++ b/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf @@ -20,12 +20,17 @@ e2ts # enable multimedia indexing ansi # enable colors in log messages + # if we are confident that we got the docker-network config correct + # (meaning copyparty is only accessible through traefik, and + # traefik makes sure that all requests go through authelia), + # then accept X-Forwarded-For and IdP headers from any private IP: + xff-src: lan + # enable IdP support by expecting username/groupname in # http-headers provided by the reverse-proxy; header "X-IdP-User" # will contain the username, "X-IdP-Group" the groupname - idp-h-usr: x-idp-user - idp-h-grp: x-idp-group - + idp-h-usr: X-authentik-username + idp-h-grp: X-authentik-groups [/] # create a volume at "/" (the webroot), which will /w # share /w (the docker data volume, which is mapped to /srv/pub on the host in docker-compose.yml) diff --git a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml index 7ddf1a9d..c649e0be 100644 --- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml @@ -21,7 +21,7 @@ services: - 'traefik.enable=true' - 'traefik.http.routers.fs.rule=Host(`fs.example.com`)' - 'traefik.http.routers.fs.entrypoints=http' - #- 'traefik.http.routers.fs.middlewares=authelia@docker' # TODO: ??? + - 'traefik.http.routers.fs.middlewares=ak-forwardauth@docker' # using authentik built-in docker outpost stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal environment: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE @@ -29,9 +29,11 @@ services: PYTHONUNBUFFERED: 1 # ensures log-messages are not delayed (but can reduce speed a tiny bit) + networks: + - proxy traefik: - image: traefik:v2.11 + image: traefik:latest container_name: traefik volumes: - /var/run/docker.sock:/var/run/docker.sock # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik @@ -44,6 +46,12 @@ services: - '--providers.docker=true' - '--providers.docker.exposedByDefault=false' - '--entrypoints.web.address=:80' + labels: + - "traefik.enable=true" + #To allow for custom headers to be forwarded + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + networks: + - proxy postgresql: image: docker.io/library/postgres:12-alpine @@ -63,6 +71,8 @@ services: POSTGRES_DB: authentik env_file: - .env + networks: + - authentik-backend redis: image: docker.io/library/redis:alpine @@ -77,6 +87,8 @@ services: timeout: 3s volumes: - redis:/data:z + networks: + - authentik-backend authentik_server: image: ghcr.io/goauthentik/server:2024.2.1 @@ -100,6 +112,30 @@ services: depends_on: - postgresql - redis + labels: + # Https setup with Cloudflare as DNS provider for certresolver + - "traefik.enable=true" + - "traefik.http.routers.authentik.entrypoints=http" + - "traefik.http.routers.authentik.rule=Host(`auth.example.com`)" + - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.authentik.middlewares=authentik-https-redirect" + - "traefik.http.routers.authentik-secure.entrypoints=https" + + - "traefik.http.routers.authentik-secure.rule=Host(`auth.example.com`)" + - "traefik.http.routers.authentik-secure.tls=true" + - "traefik.http.routers.authentik-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.authentik-secure.service=authentik" + - "traefik.http.services.authentik.loadbalancer.server.port=9000" + - "traefik.docker.network=proxy" + + # ForwardAuth middleware → embedded outpost (internal URL!) will work for all services on the same docker network + - "traefik.http.middlewares.ak-forwardauth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" + - "traefik.http.middlewares.ak-forwardauth.forwardauth.trustForwardHeader=true" + # Choose which headers you want forwarded to the backend + - "traefik.http.middlewares.ak-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid" + networks: + - proxy + - authentik-backend authentik_worker: image: ghcr.io/goauthentik/server:2024.2.1 @@ -129,3 +165,10 @@ services: depends_on: - postgresql - redis + networks: + - proxy + - authentik-backend +networks: + proxy: + external: true + authentik-backend: