Securing Traefik Dashboard with Azure AD
In my previous article, I went through the steps of deploying Traefik to an AKS cluster with Let’s Encrypt configured for automatic SSL. But, one of the things which I left out for the sake of simplicity was how to secure the Traefik dashboard. The Traefik dashboard allows you to easily visualize the services, middlewares and routers you have configured in your cluster and is definitely something you don’t want an attacker to access. So in this article, I’ll describe how to secure your Traefik dashboard with an oidc provider. Specifically, we will be using Azure Active Directory since our cluster is hosted in Azure.
The source code for this article can be found here:
Traefik Authentication
As described here, the dashboard can be secured using either Basic Authentication, Digest Authentication or Forwarded Authentication. We’ll be using Forwarded Authentication as this allows us to store our users in an external system, like Azure Active Directory.
NB. Traefik authentication can be applied to any service that Traefik is routing a request to, so this authentication would work equally well for services other than the dashboard
Authentication Server
The forwarded authentication request can be handled by any application that is capable of receiving a request and then validating the user, and returning a 200 OK response. For the authentication server, we’ll be using the docker image thomseddon/traefik-forward-auth, which is a minimal authentication service that provides OAuth/SSO login and authentication specifically designed for Traefik authentication.
Authentication Setup
In order for us to secure the dashboard, we’ll have to do four things:
- Setup Traefik configuration to protect the dashboard and trust forwarded headers from select domains.
- Setup an Azure Active Directory application to handle user authentication.
- Setup the Authentication server.
- Setup a Traefik routing rule for requests going to the dashboard. Along with forwarded authentication middleware for sending requests to the authentication server.
Now that we understand the basics of how authentication will be accomplished, lets dive in.
1. Traefik Configuration
The Traefik configuration is shown below:
The important things to note here are:
- The flag
api-dashboard=true
specifies that the dashboard should be enabled. - The setting
entryPoints.websecure.forwardedHeaders.trustedIPs
specifies which IP’s Traefik should accept forwarded headers from. One of the easiest ways to find this value is to use the whoami docker image we deployed in the previous article, and look at the X-Real-IP header. While developing you can instead set the flagentryPoints.web.forwardedHeaders.insecure
, which tells Traefik to accept headers from any IP.
2. Azure Active Directory Setup
We’ll need to create a new application inside Azure AD so that we can authenticate users trying to access the Traefik dashboard. Running the below script will create an application named TraefikDashboardAuthentication in your Azure AD, create a secret used for authentication and grant it permissions to read users’ profiles.
The important thing to note here is that:
- The script will output the Application Id and the Application Secret which will be used as configuration parameters for our Authentication server. NB. The secret is only shown once and then hidden for security purposes so be sure to copy this secret for later use.
3. Authentication Server Setup
The authentication server, we’ll be using thomseddon/traefik-forward-auth will be deployed into our Kubernetes cluster. In order for the deployment to work successfully we need to configure some Kubernetes secrets which will be used by the authentication server as configuration inputs. Execute the following command in order to seed the required secrets.
The important things to note here are:
- The Azure Tenant ID can be retrieved by executing the command
az account get-access-token --query tenant --output tsv.
- The Application ID and Client Secret are the values that were output from the Azure AD application creation script run earlier.
- The JWT SECRET is used to sign the authentication cookie and can be any randomly generated value. If you have open ssl installed you can easily generate one by running the command
openssl rand -hex 16.
Now we’re ready to deploy our authentication server.
The important thing to note here is that:
- The authentication server makes use of Traefik Host Header routing rule, so you’ll need to input your domain name into the configuration so the routing works correctly.
Once the authentication server has been successfully deployed, you’ll need to add a DNS record so that the URL https://traefikauth.YOURDOMAIN.com resolves to your Traefik external IP address.
4. Traefik Dashboard Routing and Authentication Middleware Setup
Finally, we will need to setup a routing rule so that when we try and access https://traefik.YOURDOMAIN.com it will be redirected to the Traefik service running inside our cluster. Additionally, we also need to configure the request to flow through our authentication middleware.
The important things to note here are:
- The Middleware is created and uses the address property to point to our authentication server. We then configure the middleware to trust forwarded headers coming from our authentication server and tell Traefik that we specifically want to copy the response header X-Forwarded-User.
- We need to setup a CNAME for traefik so that our requests to https://traefik.YOURDOMAIN.com will resolve correctly.
With everything configured we should now be able to access the Traefik dashboard on :
https://traefik.yourdomain.com/dashboard/
This should then result in the request being redirected to Azure AD, and once you authenticate successfully you will be redirected to the Traefik dashboard.
Conclusion
We now have a fully secured Traefik dashboard with our authentication handled by Azure Active Directory, allowing us to easily manage access to the dashboard.