I need some help with Docker labels. I am using Docker via Portainer and have the following stack:
services:
myapp:
image: lscr.io/linuxserver/myapp:latest
container_name: myapp
depends_on:
- gluetun
network_mode: "service:gluetun" # Uses Gluetun’s network stack
restart: unless-stopped
volumes:
- /mnt/apps/appconfig/myapp:/config
environment:
- PUID=123
- PGID=123
- TZ=Europe/London
gluetun:
image: qmcgaw/gluetun
container_name: gluetun_myapp
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
environment:
- VPN_SERVICE_PROVIDER=Provider
- VPN_TYPE=openvpn
- OPENVPN_USER=${OPENVPN_USER}
- OPENVPN_PASSWORD=${OPENVPN_PASSWORD}
- TZ=Europe/London
- LOCAL_NETWORK=192.168.0.0/24,172.16.1.0/24
- VPN_INPUT_PORTS=1234
- FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24
restart: unless-stopped
ports:
- "1234:1234/tcp"
networks:
default:
driver: bridge
In my dynamic.yml file for Traefik, I have:
http:
middlewares:
authelia-forward:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.mydomain.com/"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
redirect-to-https:
redirectScheme:
scheme: https
restrict-lan-only:
ipWhiteList:
sourceRange:
- "192.168.0.0/16"
authelia-bypass:
chain:
middlewares:
- ip-whitelist
- authelia-onefactor
ip-whitelist:
ipWhiteList:
sourceRange:
- 192.168.0.0/16
authelia-onefactor:
forwardAuth:
address: "http://authelia:9091/api/verify?auth=1"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
routers:
# myapp
myapp-http:
rule: "Host(`myapp.mydomain.com`)"
entryPoints:
- web
middlewares:
- redirect-to-https
service: myapp
myapp-https:
rule: "Host(`myapp.mydomain.com`)"
entryPoints:
- websecure
service: myapp
tls:
certResolver: cloudflare
middlewares:
- authelia-forward
services:
myapp:
loadBalancer:
servers:
- url: "http://192.168.0.xx:1234"
passHostHeader: true
And in configuration.yml for Authelia, I have:
server:
# Replaces host: 0.0.0.0 and port: 5678
# Use the "tcp://" syntax. This listens on all interfaces at port 9091.
address: tcp://0.0.0.0:5678
log:
level: info
format: text
identity_validation:
reset_password:
jwt_secret: "@env::AUTHELIA_JWT_SECRET"
session:
name: authelia_session
secret: "@env::AUTHELIA_SESSION_SECRET"
expiration: 3600
remember_me: 1M
cookies:
- domain: "mydomain.com"
authelia_url: "https://auth.mydomain.com"
same_site: lax
authentication_backend:
file:
path: /config/users_database.yml
storage:
encryption_key: "@env::AUTHELIA_STORAGE_ENCRYPTION_KEY"
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
access_control:
default_policy: deny
rules:
- domain: "myapp.mydomain.com"
policy: bypass
networks:
- 192.168.0.0/16
- domain: "myapp.mydomain.com"
policy: one_factor
This all works as I would like, but I would prefer to have the configuration in labels in the Portainer file. I have tried:
labels:
- traefik.enable=true
- traefik.http.routers.myapp-https.rule=Host(`myapp.mydomain.com`)
- traefik.http.routers.myapp-https.entrypoints=websecure
- traefik.http.routers.myapp-https.tls.certresolver=cloudflare
- traefik.http.routers.myapp-https.middlewares=authelia-forward@file,authelia-bypass@file
- traefik.http.services.myapp.loadbalancer.server.url=http://192.168.0.xx
- traefik.http.services.myapp.loadbalancer.server.port=1234
But get 403 Forbidden
What labels do I need? Also, any thoughts on improving the security are appreciated!
