traefik-oauth.yml

version: "3.3"

#
# This file enables SSO via Google Cloud OAUTH.  Additionally, it layers in rate limiting.
#
# @credit https://www.smarthomebeginner.com/google-oauth-with-traefik-2-docker/
#
services:
  traefik:
    labels:
      # -----------------------------
      # Define reusable middlewares
      # -----------------------------
      - traefik.http.middlewares.sso.forwardauth.address=http://oauth:4181
      - traefik.http.middlewares.sso.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.sso.forwardauth.authResponseHeaders=X-Forwarded-User

      # rate limit
      - traefik.http.middlewares.rate-limit.rateLimit.average=100
      - traefik.http.middlewares.rate-limit.rateLimit.burst=50

      # -----------------------------
      # Define chain
      # -----------------------------
      - traefik.http.middlewares.chain-oauth.chain.middlewares=rate-limit,sso
      - traefik.http.middlewares.chain-no-auth.chain.middlewares=rate-limit

      # -----------------------------
      # Apply middlewares to dashboard UI
      # -----------------------------
      - traefik.http.routers.traefik.middlewares=chain-oauth@docker

  oauth:
    restart: unless-stopped
    container_name: oauth
    image: thomseddon/traefik-forward-auth
    # Allow apps to bypass OAuth. Radarr example below will bypass OAuth if API key is present in the request (eg. from NZB360 mobile app).
    # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of the apps later.
    # command: --rule.radarr.action=allow --rule.radarr.rule=Headers(`X-Api-Key`, `$RADARR_API_KEY`)
    # command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule=HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=${GCP_OAUTH_CLIENT_ID}
      - PROVIDERS_GOOGLE_CLIENT_SECRET=${GCP_OAUTH_CLIENT_SECRET}
      - SECRET=${OAUTH_SECRET}
      - COOKIE_DOMAIN=${DOMAIN}
      - AUTH_HOST=oauth.${DOMAIN}
      - URL_PATH=${OAUTH_PATH}
      - LOG_LEVEL=debug
      - LOG_FORMAT=pretty
    labels:
      - traefik.enable=true
      # -----------------------------
      # HTTP Routers
      # -----------------------------
      - traefik.http.routers.oauth.entrypoints=https
      # -----------------------------
      # HTTP Services
      # -----------------------------
      - traefik.http.services.oauth.loadbalancer.server.port=4181
      - traefik.http.routers.oauth.service=oauth
    networks:
      - web

  whoami:
    labels:
      - traefik.http.routers.whoami.middlewares=chain-oauth@docker