-
Notifications
You must be signed in to change notification settings - Fork 1
/
oauth.yml
43 lines (43 loc) · 1.91 KB
/
oauth.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
services:
# Google OAuth - Single Sign On using OAuth 2.0
# https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
# Also possible to forward all authentication requests to external service. See middlewares-oauth-external and chain-oauth-external.
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
# image: thomseddon/traefik-forward-auth:2.1-arm # Use this image with Raspberry Pi
security_opt:
- no-new-privileges:true
restart: unless-stopped
#profiles: ["core", "all"]
networks:
- traefik_proxy
# Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app).
# While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later.
# command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
# command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)"
environment:
- CONFIG=/config
- COOKIE_DOMAIN=$DOMAINNAME_DS918
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME_DS918
- URL_PATH=/_oauth
- LOG_LEVEL=warn
- LOG_FORMAT=text
- LIFETIME=86400 # 1 day
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
secrets:
- source: traefik_forward_auth
target: /config
labels:
- "traefik.enable=true"
# HTTP Routers
- "traefik.http.routers.oauth-rtr.tls=true"
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME_DS918`)"
# Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
# HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"