Traefik-Proxy
One-step (secure) configuration for Traefik edge router using Authelia for authentication.
Features
Keeping in mind security first, this project ensures:
- The Docker daemon socket is never mounted to traefik or any container with external networking (See the risks of exposing the Docker daemon)
- HTTPS redirection is automatically configured for all routers
- TLS is always enabled, even locally (can confidently test new services locally without needing a dev config that differs significantly from prod)
- The Traefik dashboard is never launched in insecure mode
Other features include:
- Self-hosted SSO authentication (Authelia), including support for security keys and one-time password generators
- User-friendly 4XX & 5XX status pages
- Pre-configured file provider (for shared routers and middleware) and Docker provider (for everything else)
- Centralized configuration via environment variables and Docker secrets
Getting Started
Quickstart
$ git clone https://github.com/jamescurtin/traefik-proxy.git
$ cd traefik-proxy
$ make
Running make
creates an .env
file and the authelia/secrets
directory. The
.env
file should be updated to include hostnames for additional hosts that are
configured. The authelia/secrets
directory contains secrets for configuring
all services. The default values should be changed before deploying.
There are additional configuration files that need to be customized. All places where
customization is necessary are marked with CHANGEME
comments.
The command will also create the external docker network traefik
. Other docker
services that you plan to expose via Traefik should be added to this network.
Creating a LDAP user
The following will create a default user named changeme
with the password insecure
:
$ bin/add_user authelia/example.ldif
Note: When run locally (e.g. on localhost
), Traefik uses a self-signed SSL certificate. Therefore, web-browser security warnings are expected and can be safely bypassed.
To explore, navigate to:
- https://whoami.docker.localhost ("Hello world" container provided by the creators of Traefik)
- https://traefik.docker.localhost (Traefik configuration dashboard)
- https://auth.docker.localhost (SSO Auth service)
- https://docker.localhost (Doesn't match any routing rule, so will display a user-friendly HTTP error code)
Details
By running the make
command, an external Docker network, traefik
, will be created, which can be used to link any Docker container to Traefik. It also checks for the existence of .env
and acme/acme.json
, creating them if they do not exist.