version: '3' services: # one service: Traefik traefik: image: "traefik:latest" restart: unless-stopped # Port mapping: required for http and https traffic, as wells as for the # Traefik Dashboard (8080), but this is optional (disable in production, if # not required)! ports: - "80:80" - "443:443" - "8080:8080" # optional! # A Docker network is used to connect Traefik with other Docker containers. networks: - traefik_proxy - traefik_internal volumes: # Storage for SSL certificates: - "/mnt/traefik/letsencrypt:/letsencrypt" # Required for the Docker provider: - "/var/run/docker.sock:/var/run/docker.sock:ro" # Our configuration file: - "/mnt/traefik/traefik.yml:/traefik.yml:ro" # Our dynamic configuration, which can be adjusted during runtime: - "/mnt/traefik/dynamic_conf.yml:/dynamic_conf.yml" oauth: container_name: oauth image: thomseddon/traefik-forward-auth restart: always environment: PROVIDERS_GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID} PROVIDERS_GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET} SECRET: ${SECRET} COOKIE_DOMAIN: ${DOMAIN} AUTH_HOST: oauth.${DOMAIN} # ONly Accounts listed under Whitelist are allowed to access the service after Google Login WHITELIST: xxx@gmail.com,xxx@gmail.com labels: traefik.http.middlewares.oauth.forwardauth.address: http://oauth:4181 traefik.http.middlewares.oauth.forwardauth.authResponseHeaders: X-Forwarded-User traefik.http.middlewares.oauth.forwardauth.trustForwardHeader: "true" traefik.http.routers.oauth.middlewares: oauth traefik.enable: "true" traefik.http.routers.oauth.rule: Host(`oauth.${DOMAIN}`) traefik.http.routers.oauth.tls: "true" traefik.http.routers.oauth.tls.certresolver: letsencrypt traefik.http.services.oauth.loadbalancer.server.port: 4181 networks: - traefik_internal networks: traefik_proxy: external: true traefik_internal: external: false