Skip to content
/ traefik-auth-cloudflare Public
forked from adrienkohlbecker/traefik-auth-cloudflare

Forward auth server to verify Cloudflare Access JWT tokens with Traefik

License

MIT license
1 star 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Dashflo/traefik-auth-cloudflare

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
.github/workflows
.github/workflows
 
 
example
example
 
 
.gitignore
.gitignore
 
 
AUTHORS
AUTHORS
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

traefik-auth-cloudflare

Forward auth server to verify Cloudflare Access JWT tokens with traefik

GitHub release

Description

traefik-auth-cloudflare is designed to be a forward auth server for traefik and Cloudflare Access.

When forwarding a user's request to your application, Cloudflare Access will include a signed JWT as a HTTP header. This JWT needs to be authenticated to ensure the request has been signed by Cloudflare and has gone through their servers.

Documentation on how to validate the JWT can be found here https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.

Using traefik-auth-cloudflare, you can configure your traefik instance to correctly authenticate cloudflare requests, and you can serve multiple authenticated applications from a single instance.

Example

Look into the example directory to find example docker-compose.yml and traefik.toml files.

How to use

  • Start an instance of traefik-auth-cloudflare in the same docker network as traefik. ideally this is a distinct network from your applications.
# create network for traefik->traefik-auth-cloudflare communication

$ docker network create traefik-auth

# start traefik-auth-cloudflare (default port is 8080)
# you need to set the auth domain you configured on cloudflare

$ docker run -d --network traefik-auth --name traefik-auth-cloudflare ghcr.io/dashflo/traefik-auth-cloudflare:latest --auth-domain https://foo.cloudflareaccess.com

# add traefik to your `traefik-auth` docker network (left to the reader)

$ docker network connect traefik-auth TRAEFIK_CONTAINER
  • Configure your router to authenticate requests using traefik-auth-cloudflare
# start your app with auth settings
# the Application Audience (aud) tag needs to be set as an URL parameter: `/auth/{audience}`

$ docker run \
  --label "traefik.http.routers.myapp.middlewares=myapp-auth@docker" \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.address=http://traefik-auth-cloudflare:8080/auth/a83fd537ee93f21e86e51ab3c88f84ef07fd388865c7d0c3236947a8cf79daf5" \
  ....
  • Optionally, configure traefik to forward the authenticated user header to your application
# start your app with auth user forward
# the http header is `X-Auth-User`

$ docker run \
  --label "traefik.http.middlewares.myapp-auth.forwardauth.authResponseHeaders=X-Auth-User" \
  ....

About

Forward auth server to verify Cloudflare Access JWT tokens with Traefik

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Apr 13, 2022

Packages

 
 
 

Languages

  • Go 93.5%
  • Dockerfile 6.5%