akippnn/docker-compose-nas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): Implement conditional authentication middleware for services in docker-compose.yml
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Jose Daniel G. Percy
2025-04-26 01:58:42 +08:00
parent 2fadb08c72
commit a0e63e2e2b
2 changed files with 98 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
docker-compose.yml
View File

@@ -1,4 +1,24 @@
services:
middlewares:
# This is a "no-op" service just to hold middleware definitions
image: traefik/whoami:latest
container_name: middlewares
restart: "no"
labels:
# Authentication middleware - used when AUTH_SERVICE=true
- traefik.http.middlewares.auth-required.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
- traefik.http.middlewares.auth-required.forwardAuth.trustForwardHeader=true
- traefik.http.middlewares.auth-required.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
# No authentication middleware - used when AUTH_SERVICE=false
- traefik.http.middlewares.auth-bypass.headers.customResponseHeaders.X-Auth-Skip=true
# Map true/false to the actual middleware
- traefik.http.middlewares.true.chain.middlewares=auth-required
- traefik.http.middlewares.false.chain.middlewares=auth-bypass
profiles:
- disabled # This service never actually starts
traefik:
image: ghcr.io/traefik/traefik:3.3
container_name: traefik
@@ -83,11 +103,13 @@ services:
- traefik.enable=true
- traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`)
- traefik.http.routers.sonarr.entrypoints=web
- traefik.http.routers.sonarr.middlewares=${AUTH_SONARR:-true}
- traefik.http.routers.sonarr.middlewares=${AUTH_SONARR:-true}@docker
- traefik.http.services.sonarr.loadbalancer.server.port=8989
# Add conditional middlewares
- traefik.http.middlewares.true.chain.middlewares=authelia-auth@docker
- traefik.http.middlewares.false.chain.middlewares=
# Define middleware chains for auth control - these are global definitions
- traefik.http.middlewares.true.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
- traefik.http.middlewares.true.forwardAuth.trustForwardHeader=true
- traefik.http.middlewares.true.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
- traefik.http.middlewares.false.headers.customResponseHeaders.X-Auth-Skip=true
- homepage.group=Media
- homepage.name=Sonarr
- homepage.icon=sonarr.png
@@ -116,7 +138,7 @@ services:
- traefik.enable=true
- traefik.http.routers.radarr.rule=PathPrefix(`/radarr`)
- traefik.http.routers.radarr.entrypoints=web
- traefik.http.routers.radarr.middlewares=${AUTH_RADARR:-true}
- traefik.http.routers.radarr.middlewares=${AUTH_RADARR:-true}@docker
- traefik.http.services.radarr.loadbalancer.server.port=7878
- homepage.group=Media
- homepage.name=Radarr
@@ -146,7 +168,7 @@ services:
- traefik.enable=true
- traefik.http.routers.lidarr.rule=PathPrefix(`/lidarr`)
- traefik.http.routers.lidarr.entrypoints=web
- traefik.http.routers.lidarr.middlewares=authelia-auth@docker
- traefik.http.routers.lidarr.middlewares=${AUTH_LIDARR:-true}@docker
- traefik.http.services.lidarr.loadbalancer.server.port=8686
- homepage.group=Media
- homepage.name=Lidarr
@@ -178,7 +200,7 @@ services:
- traefik.enable=true
- traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`)
- traefik.http.routers.bazarr.entrypoints=web
- traefik.http.routers.bazarr.middlewares=${AUTH_BAZARR:-true}
- traefik.http.routers.bazarr.middlewares=${AUTH_BAZARR:-true}@docker
- traefik.http.services.bazarr.loadbalancer.server.port=6767
- homepage.group=Download
- homepage.name=Bazarr
@@ -214,7 +236,7 @@ services:
- traefik.http.routers.jellyseerr.rule=PathPrefix(`/jellyseerr`)
- traefik.http.routers.jellyseerr.entrypoints=web
- traefik.http.services.jellyseerr.loadbalancer.server.port=5055
- traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
- traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,${AUTH_JELLYSEERR:-true}@docker
- traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr
- traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].header=location
- traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].regex=^/(.+)$
@@ -287,7 +309,7 @@ services:
- traefik.enable=true
- traefik.http.routers.prowlarr.rule=PathPrefix(`/prowlarr`)
- traefik.http.routers.prowlarr.entrypoints=web
- traefik.http.routers.prowlarr.middlewares=authelia-auth@docker
- traefik.http.routers.prowlarr.middlewares=${AUTH_PROWLARR:-true}@docker
- traefik.http.services.prowlarr.loadbalancer.server.port=9696
- homepage.group=Download
- homepage.name=Prowlarr
@@ -311,7 +333,7 @@ services:
- traefik.enable=true
- traefik.http.routers.flaresolverr.rule=PathPrefix(`/flaresolverr`)
- traefik.http.routers.flaresolverr.entrypoints=web
- traefik.http.routers.flaresolverr.middlewares=authelia-auth@docker
- traefik.http.routers.flaresolverr.middlewares=${AUTH_FLARESOLVERR:-true}@docker
- traefik.http.services.flaresolverr.loadbalancer.server.port=8191
profiles:
- flaresolverr
@@ -338,7 +360,7 @@ services:
- traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`)
- traefik.http.routers.qbittorrent.entrypoints=web
- traefik.http.services.qbittorrent.loadbalancer.server.port=8080
- traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
- traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,${AUTH_QBITTORRENT:-true}@docker
- traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
@@ -383,7 +405,7 @@ services:
- traefik.enable=true
- traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`)
- traefik.http.routers.sabnzbd.entrypoints=web
- traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
- traefik.http.routers.sabnzbd.middlewares=${AUTH_SABNZBD:-true}@docker
- traefik.http.services.sabnzbd.loadbalancer.server.port=8080
- homepage.group=Download
- homepage.name=Sabnzbd
@@ -419,7 +441,7 @@ services:
- traefik.enable=true
- traefik.http.routers.jellyfin.rule=PathPrefix(`/jellyfin`)
- traefik.http.routers.jellyfin.entrypoints=web
- traefik.http.routers.jellyfin.middlewares=authelia-auth@docker
- traefik.http.routers.jellyfin.middlewares=${AUTH_JELLYFIN:-false}@docker
- traefik.http.services.jellyfin.loadbalancer.server.port=8096
- homepage.group=Media
- homepage.name=Jellyfin
@@ -448,7 +470,7 @@ services:
- traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Scheme=https
- traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
- traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
- traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,authelia-auth@docker
- traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,${AUTH_CALIBRE:-true}@docker
- traefik.http.routers.calibre.rule=PathPrefix(`/calibre`)
- traefik.http.routers.calibre.entrypoints=web
- traefik.http.services.calibre.loadbalancer.server.port=8083
@@ -526,7 +548,7 @@ services:
- traefik.http.routers.homepage.entrypoints=web
- traefik.http.routers.homepage.priority=10
- traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home
- traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker
- traefik.http.routers.homepage.middlewares=homepage-stripprefix,${AUTH_HOMEPAGE:-true}@docker
- homepage.group=Dashboard
- homepage.name=Homepage
- homepage.icon=homepage.png