Repository files navigation

One-step (secure) configuration forTraefik edge router usingAuthelia for authentication.

Keeping in mind security first, this project ensures:

• The Docker daemon socket is never mounted to traefik or any container with external networking (See therisks of exposing the Docker daemon)
• HTTPS redirection is automatically configured for all routers
• TLS is always enabled, even locally (can confidently test new services locally without needing a dev config that differs significantly from prod)
• The Traefik dashboard is never launched in insecure mode

Other features include:

• Self-hosted SSO authentication (Authelia), including support for security keys and one-time password generators
• User-friendly 4XX & 5XX status pages
• Pre-configured file provider (for shared routers and middleware) and Docker provider (for everything else)
• Centralized configuration via environment variables and Docker secrets

$git clone https://github.com/jamescurtin/traefik-proxy.git$cd traefik-proxy$make

Runningmake creates an.env file and theauthelia/secrets directory. The.env file should be updated to include hostnames for additional hosts that areconfigured. Theauthelia/secrets directory contains secrets for configuringall services. If you follow the quickstart and runmake, random passwords are generated by default. Otherwise, you must replace the values inauthelia/secrets before deploying.

There are additional configuration files that need to be customized before you candeploy in a production environment. All places where customization is necessaryare marked withCHANGEME comments.

The command will also create the external docker networktraefik. Other dockerservices that you plan to expose via Traefik should be added to this network.

See theExploring section for more information.

This is configured to use two-factor auth. When running the project out of the box (i.e. without having configured the SMTP notifier), you will have to check the fileauthelia/notification.txt to get the registration link for configuring 2FA.

Authelia users are defined inauthelia/users.yml.

By default, this ships with two users (both have the passwordinsecure).One is a member of a group calledadmin, and the other has no group memberships.See theExploring section to see how group membership can be usedfor access control.

You will need to create a new user and add them toauthelia/users.yml.As a convenience, you can run the command

$ bin/create-new-userEnter username:...

which will prompt for the user's information, and add an entry to the user file(with a hashed password).

Make sure to remove the default users before deploying!

Note: When run locally (e.g. onlocalhost), Traefik uses a self-signed SSL certificate. Therefore, web-browser security warnings are expected and can be safely bypassed.When deployed on any other domain, it will use Let's Encrypt certificates.

To explore, navigate to:

• https://traefik.docker.localhost (Traefik configuration dashboard)
  • Requires login: see theUsers section for more information.
• https://whoami.docker.localhost ("Hello world" example)
• https://secure.docker.localhost ("Hello world" example demonstrating ACLs and 2FA)
  • See theUsers section for more information about the default users.
  • See theaccess_control section ofauthelia/configuration.yml to understand how access is configured.
  • First, attempt to log in with the useruser-changeme. Access should be denied, because the user isn't a member of the required group
  • Next, go to auth.docker.localhost and log out.
  • Then, go back to secure.docker.localhost to log in with useradmin-changeme. Access should be granted, based on user group.
    • See theUsers section for information on how 2FA is configured by default.
• https://auth.docker.localhost (SSO Auth service)
• https://traefik.docker.localhost/nonexistent (This page doesn't exist, and is therefore re-routed to a custom error page)

Run the test suite locally via

.github/scripts/test.sh