From d37d1818f35d4fef86e6d746f3a8a5f2e37aabc6 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 28 Sep 2020 16:21:57 +0200
Subject: [PATCH] Adding auth forwarding in preparation of shibboleth auth
---
docker-compose.dem.ops.yml | 12 ++++++++++++
docker-compose.emg.ops.yml | 12 ++++++++++++
docker-compose.vhr18.ops.yml | 16 ++++++++++++++--
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index b1f09109..345ea97b 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -32,6 +32,10 @@ services:
- "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
- "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
- "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
- "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
- "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.dem-cache.loadbalancer.sticky=false"
- "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -114,6 +122,10 @@ services:
- "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
- "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.dem-client-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.dem-client.loadbalancer.sticky=false"
- "traefik.http.services.dem-client.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index fcc054e6..34a0dc82 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -32,6 +32,10 @@ services:
- "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
- "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
- "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.emg-cache.loadbalancer.sticky=false"
- "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -114,6 +122,10 @@ services:
- "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
- "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-client-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.emg-client.loadbalancer.sticky=false"
- "traefik.http.services.emg-client.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index e8665d49..068238d2 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -33,6 +33,10 @@ services:
- "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
- "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
- "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
- "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -97,7 +105,7 @@ services:
replicas: 0
placement:
constraints:
- - node.labels.type == internal
+ - node.labels.type == internal
client:
configs:
- source: client-ops
@@ -114,6 +122,10 @@ services:
- "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
- "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
+ # Auth forwarding
+ - "traefik.frontend.auth.forward.address=http://auth/auth"
+ - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+ - traefik.frontend.auth.forward.trustForwardHeader=true
# general
- "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
- "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
@@ -122,7 +134,7 @@ services:
- "traefik.enable=true"
placement:
constraints:
- - node.labels.type == external
+ - node.labels.type == external
networks:
- extnet
preprocessor:
--
GitLab