acid/working_traefik_1.x_example
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
AcidUK
2019-10-14 20:04:34 +01:00
commit 508cc197f7
7 changed files with 236 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
authelia.yml Normal file
View File

@@ -0,0 +1,29 @@
version: '3'
services:
authelia:
image: clems4ever/authelia:master
container_name: authelia
restart: always
volumes:
- ./files/config.minimal.yml:/etc/authelia/config.yml:ro
- ./files/users_database.yml:/etc/authelia/users_database.yml:rw
- /tmp/authelia:/tmp/authelia
environment:
- NODE_TLS_REJECT_UNAUTHORIZED=1
labels:
- "traefik.frontend.rule=Host:auth.personal.domain"
- "traefik.docker.network=traefik"
- "traefik.enable=true"
expose:
- 8080
networks:
- web
- mail
networks:
web:
external:
name: traefik
mail:
external: true

0
files/acme.json Normal file
View File

105
files/config.minimal.yml Normal file
View File

@@ -0,0 +1,105 @@
###############################################################
# Authelia minimal configuration #
###############################################################
#logs_level: debug
authentication_backend:
file:
path: /etc/authelia/users_database.yml
session:
secret: change_this_for_your_server
domain: personal.domain
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
local:
path: /etc/authelia/storage
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: personal.domain
# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
default_policy: one_factor
rules:
- domain: public.personal.domain
policy: bypass
- domain: httpbin.personal.domain
policy: bypass
- domain: auth.cusack.cloud
policy: bypass
- domain: firewall.personal.domain
policy: two_factor
- domain: proxmox.personal.domain
policy: two_factor
# resources:
# - '^/api/.*$'
# - '^/notifications/.*$'
policy: bypass
# - domain: who.example.com
# policy: two_factor
# Configuration of the authentication regulation mechanism.
regulation:
# Set it to 0 to disable max_retries.
max_retries: 5
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
find_time: 120
# The length of time before a banned user can login again.
ban_time: 180
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
# The name of the session cookie. (default: authelia_session).
name: authelia_session
# The secret to encrypt the session cookie.
secret: change_this_for_your_server
# The time in ms before the cookie expires and session is reset.
expiration: 604800000 # 1 week
# The inactivity time in ms before the session is reset.
inactivity: 300000 # 5 minutes
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain on the issuer.
domain: personal.domain
# Default redirection URL
#
# Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication.
#default_redirection_url: https://authelia.example.domain
#notifier:
# For testing purpose, notifications can be sent in a file
# filesystem:
# filename: /tmp/authelia/notification.txt
notifier:
smtp:
# username:
# password:
secure: false
host: mail
port: 25
sender: docker@your-mail-server

47
files/traefik.toml Normal file
View File

@@ -0,0 +1,47 @@
#debug = true
#logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
#[entryPoints.http.redirect]
#entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.auth.forward]
address = "http://authelia:8080/api/verify?rd=https://auth.personal.domain/%23/"
[retry]
[api]
[ping]
[docker]
domain = "personal.domain"
exposedByDefault = false
watch = true
[acme]
email = "your@email.address"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[file]
[backends]
[backends.pfsense]
[backends.pfsense.servers.server0]
url = "https://pfsense.lab.personal.domain:8443"
[backends.proxmox]
[backends.proxmox.servers.server0]
url = "https://192.168.0.250:8006"
[frontends]
[frontends.pfsense]
backend = "pfsense"
passHostHeader = true
[frontends.pfsense.routes.example]
rule = "Host:firewall.cusack.cloud"
[frontends.proxmox]
backend = "proxmox"
passHostHeader = true
[frontends.proxmox.routes.example]
rule = "Host:proxmox.cusack.cloud"

7
files/users_database.yml Normal file
View File

@@ -0,0 +1,7 @@
users:
testuser: ## I have set the password below to 'test' for you
password: '{CRYPT}$6$rounds=500000$Bui4ldW5hXOI9qwJ$IUHQPCusUKpTs/OrfE9UuGb1Giqaa5OZA.mqIpH.Hh8RGFsEBHViCwQDx6DfkGUiF60pqNubFBugfTvCJIDNw1'
email: your@email.address
groups:
- admins
- dev

21
httpbin.yml Normal file
View File

@@ -0,0 +1,21 @@
version: '3'
services:
httpbin:
container_name: httpbin
image: kennethreitz/httpbin
restart: always
ports:
- 5100:80
labels:
- "traefik.frontend.rule=Host:httpbin.personal.cloud"
- "traefik.docker.network=traefik"
- "traefik.enable=true"
networks:
- web
networks:
web:
external:
name: traefik

27
traefik.yml Normal file
View File

@@ -0,0 +1,27 @@
version: '3'
services:
traefik:
container_name: traefik
restart: always
ports:
- '8080:8080'
- '80:80'
- '443:443'
volumes:
- './files/traefik.toml:/etc/traefik/traefik.toml'
- './files/acme.json:/acme.json'
- '/var/run/docker.sock:/var/run/docker.sock'
image: traefik:v1.7.16
labels:
- "traefik.frontend.rule=Host:traefik.personal.domain"
- "traefik.docker.network=traefik"
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.protocol=http"
networks:
traefik:
networks:
traefik:
external: true