Complete and refine OAuth + Traeffik Restriction

2026-02-20 10:30:34 +01:00
parent 078aae8172
commit 979747e288
10 changed files with 171 additions and 84 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,13 +8,15 @@ services:
    container_name: oc-auth
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.auth.entrypoints=web"
-      - "traefik.http.routers.auth.rule=PathPrefix(`/auth`)"
-      - "traefik.http.middlewares.auth-rewrite.replacepathregex.regex=^/auth(.*)"
-      - "traefik.http.middlewares.auth-rewrite.replacepathregex.replacement=/oc$$1"
-      - "traefik.http.routers.auth.middlewares=auth-rewrite"
-      - "traefik.http.services.auth.loadbalancer.server.port=8080"
-      - "traefik.http.middlewares.auth.forwardauth.address=http://oc-auth:8080/oc/forward"
+      - "traefik.http.routers.auth-sec.entrypoints=web"
+      - "traefik.http.routers.auth-sec.rule=PathPrefix(`/auth/`)"
+      - "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.regex=^/auth(.*)"
+      - "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.replacement=/oc$$1"
+      - "traefik.http.services.auth-sec.loadbalancer.server.port=8080"
+      - "traefik.http.routers.auth-sec.middlewares=auth-sec-rewrite,auth-auth-sec"
+      - "traefik.http.middlewares.auth-auth-sec.forwardauth.address=http://hydra:4444/oauth2/auth"
+      - "traefik.http.middlewares.auth-auth-sec.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.auth-auth-sec.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
    environment:
          LDAP_ENDPOINTS: ldap:389
          LDAP_BINDDN: cn=admin,dc=example,dc=com