22 View on Github

Simple Traefik Identity

Docker Pulls

Simple & Configurable – SSO, for Traefik.

Preview

Logon

login img

Logoff

(if not authorized, you can login via another account)

logoff img

Features

Role Based Access Control (RBAC)

groups:
  - name: quebec
    sub_domains:
      - "*"
  - name: saskatchewan
    sub_domains:
      - canada.ca
      - www.tourismnewbrunswick.ca
  - name: newfoundland
    sub_domains:
      - www.gov.nu.ca

users:
  - name: yukon
    password: yukon
    session: 0.5 # logs you out after half a day
    groups:
      - quebec
  - name: nunavut
    password: nunavut
    groups:
      - saskatchewan
      - newfoundland

Rate Limit

rate_limit:
  headers:
    - Cf-Connecting-Ip
    - Another-Header
    - So-on
  rate: 5
  timer: 30

Custom UI

display:
  title: Simple Traefik Identity
  background: |-
    https://github.com/ms-jpq/simple-traefik-identity/raw/xp/src/views/assets/xp.jpg

Usage

See minimal and maximal to get started.

  sti:
    image: msjpq/simple-traefik-identity
    container_name: sti
    labels:
      - traefik.http.services.sti.loadbalancer.server.port=5050
      - traefik.http.middlewares.auth.forwardauth.address=http://sti:5050
      - traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
    volumes:
      - ./config/conf.yml:/sti/config/conf.yml

Security

👩‍💻 -------- Request --------> 👮‍♀️
👩‍💻 <---- Auth Challenge ----- 👮‍♀️
👩‍💻 ------ Credentials ------> 👮‍♀️
👩‍💻 <-- Samesite JWT Cookie -- 👮‍♀️
👩‍💻 -- Samesite JWT Cookie --> 👮‍♀️
👩‍💻 <---------- OK ----------- 👮‍♀️
👩‍💻 -- Samesite JWT Cookie --> 👮‍♀️
👩‍💻 <---------- OK ----------- 👮‍♀️

JWT payload only contain list of accessible domains

Sister

Check out my sister: Simple Traefik Dash

Zero conf service dashboard for Traefik v2