Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable forward authentication for OAuth integration with Traefik #425

Open
allthestairs opened this issue Feb 19, 2021 · 1 comment
Open

Comments

@allthestairs
Copy link
Contributor

allthestairs commented Feb 19, 2021

Is your feature request related to a problem? Please describe.
The applications included in ansible-nas have varying degrees of security and hardening. We have a setup to enable any of them to be reverse proxied by Traefik, but not all are well-suited to be exposed and require manual setup of an authentication method for each in potentially different ways.

Describe the solution you'd like
Traefik allows for forward authentication middleware to require authentication before particular backends (old terminology) or routers can be accessed. This can be used to protect any Traefik-proxied application using OAuth authentication when combined with a minimal authentication server like traefik-forward-auth. This would potentially enable single-sign-on for authentication on all ansible-nas applications proxied by Traefik.

Describe alternatives you've considered
Just setting passwords on everything manually I guess. You can also use exclusively VPN access but that is a sort of orthogonal solution and isn't integrated (reasonably so) with ansible-nas anyway.

Additional context
I have a functional branch and draft pull request #427 that works. This adds a new container to the traefik ansible tasks to handle forward authentication as well as a variety of variables to enable configuration of (currently Google-only) OAuth on any application.

Applying forward authentication to a particular app with this setup requires one additional Docker label to be applied:

traefik.http.routers.app.middlewares: "traefik-forward-auth"

My current solution is to add one additional variable analogous to app_available_externally named app_forwardauth_enabled. I then conditionally apply this middleware in ansible using something like this:

traefik.http.routers.app.middlewares: "{{ app_forwardauth_enabled | bool | ternary('traefik-forward-auth', '') }}"

I am very much not an ansible expert, so I am not sure if there is a better way to handle this than just creating a new variable for every existing application and adding the conditional label line to all the tasks. Additionally, I am not sure whether it would be a good idea or not to default applications to be authenticated if you enable forward authentication for Traefik.

@allthestairs
Copy link
Contributor Author

To elaborate on the good and bad of using this:

Good:

  • This kind of setup can, with some simple config, let you protect all of your exposed apps with OAuth authentication.
  • Gives you a solid additional layer of protection based on software with a good security record if you choose to expose any applications.
  • This setup (Auth Host Mode) works perfectly with the current subdomain-based assumptions for Traefik and sets up an specific subdomain for authorization (easy OAuth setup) but creates a logon cookie for the base domain allows authentication for all apps with one login/cookie.

Neutral:

  • Requires per-application configuration/opt-in.

Bad:

  • Few of the containers in ansible-nas allow, easily or at all, for header-based authentication based on reverse proxies which would let you actually create an SSO environment. For most applications, this means either disabling app-based authentication or requiring two sequential logins (when neither is cookied).
  • There are some apps for which enabling this could break functionality, primarily applications with frequently-used APIs where clients cannot handle OAuth.
    • This can be handled on a case-by-case basis by adding forward-authentication rules to allow access to defined API URL patterns. Would require constructing an INI-format file to give to the forward auth container.
    • Alternatively this can be handled by creating a second router for the API paths with higher priority that doesn't apply the middleware which doesn't require additional config files but does make our ansible tasks label lists longer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant