pomerium traefik auth proxy

using pomerium as traefik forward auth

Goals

• docker deployment
• traefk load balancing
• pomerium for auth with google

Extra Goals

• prometheus monitoring
• jaeger tracing

config

so much configutation

docker

needs non-default network for service discovery to work

1docker network create br0

certificates

so this is run manually, could probably use something else for automation

certs saved to /var/certs, requires account wide cloudflare api keys

 1docker run --rm -it --name lego \
 2    -e CLOUDFLARE_EMAIL=me@example.com \
 3    -e CLOUDFLARE_API_KEY=CHANGE_ME \
 4    -v /var/certs:/var/certs \
 5    goacme/lego \
 6    --dns cloudflare \
 7    --path /var/certs \
 8    --email 'me@example.com' \
 9    --domains 'example.com' \
10    --domains '*.example.com' \
11    run

traefik

tls termination and service discovery, expose ports 80 and 443

 1docker run -d --rm --name traefik \
 2    --network br0 \
 3    -p 80:80 \
 4    -p 443:443 \
 5    -v /var/run/docker.sock:/var/run/docker.sock \
 6    -v /var/certs/certificates:/var/certs/certificates \
 7    -v /var/traefik:/etc/traefik \
 8    -l 'traefik.enable=true' \
 9    -l 'traefik.http.routers.https-redirect.entrypoints=http' \
10    -l 'traefik.http.routers.https-redirect.rule=HostRegexp(`{any:.*}`)' \
11    -l 'traefik.http.routers.https-redirect.middlewares=https-redirect' \
12    -l 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https' \
13    traefik:v2.2

traefik.conf: could be replaced by cli flags

 1global:
 2  checkNewVersion: false
 3  sendAnonymousUsage: false
 4
 5entrypoints:
 6  traefik:
 7    address: ":9000"
 8  http:
 9    address: ":80"
10  https:
11    address: ":443"
12    forwardedHeaders:
13      insecure: true
14
15providers:
16  docker:
17    endpoint: "unix:///var/run/docker.sock"
18  file:
19    filename: "/etc/traefik/dynamic.yaml"
20
21metrics:
22  prometheus: {}
23
24ping: {}
25
26api:
27  insecure: true
28  dashboard: true
29
30log:
31  format: "json"
32  level: "INFO"
33
34accessLog:
35  format: "json"
36
37tracing:
38  jaeger:
39    samplingServerURL: "http://jaeger:5778/sampling"
40    localAgentHostPort: "jaeger:6831"

dynamic.conf: no other way of configuring certs

1tls:
2  certificates:
3    - certFile: /var/certs/certificates/example.com.crt
4      keyFile: /var/certs/certificates/example.com.key
5  options:
6    default:
7      minVersion: VersionTLS13

pomerium

forward auth provider for traefik

• no service account necessary for personal accounts
• policy.to is not used in forward auth mode
• policy.set_request_headers is not set
• email headers aren't set so grafana auth.proxy won't work workaround by setting static headers in traefik
• jaeger tracing is not extracted or inserted to requests
• authenticate_service_url + authenticate_callback_path together must match API & Services > Credentials > OAuth 2.0 Client IDs > Authorized redirect URIs in the gcloud console

1docker run -d --rm --name pomerium \
2    --network br0 \
3    -l 'traefik.enable=true' \
4    -l 'traefik.http.routers.auth.tls=true' \
5    -l 'traefik.http.routers.auth.entrypoints=https' \
6    -l 'traefik.http.routers.auth.rule=Host(`auth.example.com`)' \
7    -l 'traefik.http.routers.auth.service=auth' \
8    -l 'traefik.http.services.auth.loadbalancer.server.port=80' \
9    pomerium/pomerium:v0.6.2

config.yaml: ignore the lacklustre documentation, look at code options.go and

 1log_level: debug
 2address: :80
 3insecure_server: true
 4
 5authenticate_service_url: https://auth.example.com
 6authenticate_callback_path: /oauth2/callback
 7
 8shared_secret: CHANGE_ME
 9cookie_secret: CHANGE_ME
10
11metrics_address: ":9090"
12
13tracing_provider: jaeger
14tracing_debug: true
15tracing_jaeger_agent_endpoint: jaeger:6831
16
17forward_auth_url: http://pomerium:443
18
19idp_provider: "google"
20idp_client_id: CHANGE_ME
21idp_client_secret: CHANGE_ME
22
23policy:
24  - from: https://jaeger.example.com
25    allowed_users:
26      - me@example.com

httpbin

example unprotected endpoint

1docker run -d --rm --name httpbin \
2    --network br0 \
3    -l 'traefik.enable=true' \
4    -l 'traefik.http.routers.httpbin.tls=true' \
5    -l 'traefik.http.routers.httpbin.entrypoints=https' \
6    -l 'traefik.http.routers.httpbin.rule=Host(`httpbin.example.com`)' \
7    -l 'traefik.http.routers.httpbin.service=httpbin' \
8    -l 'traefik.http.services.httpbin.loadbalancer.server.port=80' \
9    kennethreitz/httpbin

jaeger

trace all the things, example protected endpoint

 1docker run -d --rm --name jaeger \
 2    --network br0 \
 3    -e SPAN_STORAGE_TYPE=badger \
 4    -e BADGER_EPHEMERAL=false \
 5    -e BADGER_DIRECTORY_VALUE=/var/jaeger/data \
 6    -e BADGER_DIRECTORY_KEY=/var/jaeger/key \
 7    -v /var/jaeger:/var/jaeger \
 8    -l 'traefik.enable=true' \
 9    -l 'traefik.http.routers.jaeger.tls=true' \
10    -l 'traefik.http.routers.jaeger.entrypoints=https' \
11    -l 'traefik.http.routers.jaeger.rule=Host(`jaeger.example.com`)' \
12    -l 'traefik.http.routers.jaeger.middlewares=jaeger' \
13    -l 'traefik.http.routers.jaeger.service=jaeger' \
14    -l 'traefik.http.middlewares.jaeger.forwardauth.trustForwardHeader=true' \
15    -l 'traefik.http.middlewares.jaeger.forwardauth.authResponseHeaders=x-pomerium-jwt-assertion' \
16    -l 'traefik.http.middlewares.jaeger.forwardauth.address=http://pomerium:443/?uri=https://jaeger.example.com' \
17    -l 'traefik.http.services.jaeger.loadbalancer.server.port=16686' \
18    jaegertracing/all-in-one:1.17