vouch-proxy
vouch-proxy copied to clipboard
Integrate with other Web Servers and Ingress controllers besides Nginx
Meant to be a catchall/discussion ticket
Hopefully some of these "implimentations" are just documentation
Somewhat inspired by https://github.com/caddyserver/caddy/issues/2894
Looks like integration with Traefik
should be really straight forward, though VP would need to offer the 302 redirect to /login
explicitly. VP would need to return the fqdn https://vouch.example.com/login
https://docs.traefik.io/middlewares/forwardauth/
I've written a small Haskell binary which can be used instead of Nginx. I had trouble getting auth_request_set
directives to reliably work on Nginx (which seems silly, as the equivalent in web frameworks like Flask, say, is trivial. But that's by the by), didn't fancy delving into its innards, so wrote a replacement. If anyone is interested, I can look at getting the source code hosted publicly somewhere.
anyone successfully integrate with traefik forwardauth ?
https://doc.traefik.io/traefik/v2.6/middlewares/http/forwardauth/
I just don't think it's possible to get traefik working with vouch out of the box with ForwardAuth - as noted above, vouch needs to return a 302. It's probably worth looking at https://github.com/thomseddon/traefik-forward-auth instead.
(if you really need to use vouch then the approach taken in https://community.traefik.io/t/forwardauth-and-vouch-proxy-using-x-forwarded-host/8585 looks promising, where nginx is used to perform the 302 translation...though they didn't get it working)
@aidanhs PRs welcome!
Though TBH I wonder if submitting an issue to Traefik might be better
It'd be easy to extend their middleware to include a new configuration option for redirection to a /login
endpoint on failure
https://github.com/traefik/traefik/blob/master/pkg/middlewares/auth/forward.go#L142
I'm trying to figure out how to use Caddy to obtain tls certs and then proxy to Nginx for auth via Vouch. I'll post back if I get it working.
Here's what I came up with. It uses Caddy for SSL certs only and then proxies to Nginx for auth and routing.