Go to file
2024-11-21 11:21:47 +01:00
consul/policies Cleanups 2024-01-31 16:20:00 +01:00
example Remove to for http/https entrypoints 2024-11-21 11:21:47 +01:00
images/traefik Multi-stage build, run as a user 2024-07-30 16:55:36 +02:00
init Add init script for consul policy 2024-05-20 11:38:20 +02:00
templates Remove swp file 2024-11-03 23:26:17 +01:00
vault Use workload identities 2024-09-30 22:15:35 +02:00
.gitmodules Use bundles.yml to handle dependencies 2023-09-28 15:16:41 +02:00
bundles.yml Switch to the lemonldap-ng image 2024-01-04 11:27:27 +01:00
README.md Add init script for consul policy 2024-05-20 11:38:20 +02:00
traefik.nomad.hcl Add middlewares to handle redirect to dashboard 2024-11-11 22:19:08 +01:00
variables.yml Remove to for http/https entrypoints 2024-11-21 11:21:47 +01:00

Initial configuration

After a first ctctl prepare, you need to create the consul policy

./output/init.traefik-consul

This policy is used by Traefik to get a list of running services from the Consul catalog

IP whitelist / blacklist

The job support getting lists of IP addresses/CIDR dynamycally from Consul K/V store. To create a new list, go on Consul Key/Value from the web interface, in common/ip (create the tree if needed), then create an entry. For example, an entry named trusted, with the following content:

- 10.99.9.1       # fw-dc for healthcheck
- 192.168.7.0/24  # Private LAN
- 10.99.20.0/24   # VPN roadwarriors
- 10.99.23.0/24   # VPN Wireguard

Format it as a YAML document. Now, as soon as you save this, a new middleware named ip-trusted@file will be available on Traefik, and can be used by routers to protect sensitive applications. You can also include an IP list in another one. For example, another IP list named admin could contain

- include:trusted
- 10.29.0.0/16

Now the ip-admin@file middleware contains all the IP of the trusted list, plus 10.29.0.0/16

Basic authentication middlewares

You can configure basic auth middlewares by putting user/password in vault. For example

vault kv put kv/service/traefik/basicauth/monitoring john='S3cr3t.' marie='p@ssw0rd'

Then, a basicauth-monitoring@file middleware will be automaticaly created and available for routers to protect the app you want. The password can be either plain text, or an already bcrypt encrypted password (starting with $2y$).

Note that while creating new or updating existing basicauth entry will be reloaded without a need to restart Traefik, it can take up to 5 min for the change to propagate.

Lemonldap::NG Handler

The job support running a Lemonldap::NG handler, using the REST API to reach config and session databases

lemonldap:
  enabled: True
  config:
    url: https://auth.example.org/index.psgi/config
    user: lemonldap
    password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
    realm: Lemonldap::NG API
  sessions:
    url: https://auth.example.org/index.psgi/sessions/global
    user: lemonldap
    password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
    realm: Lemonldap::NG API

And the password for the API is stored in vault

vault kv put kv/service/traefik llng_api_pwd='ThisIsNotAVeryStrongPassword'