vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard

Published 20 hours ago verified publisher icon vouch

Integrate with other Web Servers and Ingress controllers besides Nginx

Open bnfinet opened this issue 4 years ago • 7 comments

Meant to be a catchall/discussion ticket

Hopefully some of these "implimentations" are just documentation

Somewhat inspired by https://github.com/caddyserver/caddy/issues/2894

bnfinet avatar Nov 23 '19 00:11 bnfinet

Looks like integration with Traefik should be really straight forward, though VP would need to offer the 302 redirect to /login explicitly. VP would need to return the fqdn https://vouch.example.com/login

https://docs.traefik.io/middlewares/forwardauth/

bnfinet avatar Jun 10 '20 23:06 bnfinet

I've written a small Haskell binary which can be used instead of Nginx. I had trouble getting auth_request_set directives to reliably work on Nginx (which seems silly, as the equivalent in web frameworks like Flask, say, is trivial. But that's by the by), didn't fancy delving into its innards, so wrote a replacement. If anyone is interested, I can look at getting the source code hosted publicly somewhere.

phlummox avatar Aug 11 '20 11:08 phlummox

anyone successfully integrate with traefik forwardauth ?

https://doc.traefik.io/traefik/v2.6/middlewares/http/forwardauth/

zakiharis avatar Jun 14 '22 09:06 zakiharis

I just don't think it's possible to get traefik working with vouch out of the box with ForwardAuth - as noted above, vouch needs to return a 302. It's probably worth looking at https://github.com/thomseddon/traefik-forward-auth instead.

(if you really need to use vouch then the approach taken in https://community.traefik.io/t/forwardauth-and-vouch-proxy-using-x-forwarded-host/8585 looks promising, where nginx is used to perform the 302 translation...though they didn't get it working)

aidanhs avatar Dec 03 '22 03:12 aidanhs

@aidanhs PRs welcome!

Though TBH I wonder if submitting an issue to Traefik might be better

It'd be easy to extend their middleware to include a new configuration option for redirection to a /login endpoint on failure https://github.com/traefik/traefik/blob/master/pkg/middlewares/auth/forward.go#L142

bnfinet avatar Dec 03 '22 04:12 bnfinet

I'm trying to figure out how to use Caddy to obtain tls certs and then proxy to Nginx for auth via Vouch. I'll post back if I get it working.

reubano avatar Jul 20 '23 20:07 reubano

Here's what I came up with. It uses Caddy for SSL certs only and then proxies to Nginx for auth and routing.

reubano avatar Jul 24 '23 00:07 reubano