In today’s cloud-native world, securing microservices is crucial.

One effective way to achieve this is by leveraging Docker for containerization, Traefik for routing and middleware, and OAuth for authorization.

This article will walk you through the process of setting up a secure service using these technologies, providing you with a robust and scalable solution.

Understanding the Network Flow

When securing a service with Single Sign-On (SSO) using OAuth, here’s the typical flow:

1. Client Request: A user sends a GET request to a service endpoint.

2. Traefik Middleware: Traefik intercepts the request and forwards it to an OAuth provider for authorization.

3. OAuth Provider: The provider checks the user’s credentials and registration status.

4. Service Access: If the user is authorized, they gain access to the service.

Setting Up the Environment

We’ll use Docker Compose to define and manage our services. Here’s how you can set it up:

1. Docker Compose File (docker-compose.yml):

version: '3'

services:
  traefik:
    image: traefik:2.9.6
    ports:
      - "443:443"
      - "8080:8080"
    command:
      - "--providers.docker=true"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--entryPoints.web-secured.address=:443"
      - "--certificatesResolvers.ssl-service.acme.tlsChallenge=true"
      - "--certificatesResolvers.ssl-service.acme.email=myEmail@example.com"
      - "--certificatesResolvers.ssl-service.acme.storage=/letsencrypt/acme.json"
    volumes:
      - ./volume-traefik/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web-secured"

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.entrypoints=web-secured"
      - "traefik.http.routers.whoami.tls.certresolver=ssl-service"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.http.routers.whoami.rule=Host(`service_example.com`) && PathPrefix(`/test`)"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

Start and Stop Scripts:

• run.sh:

    #!/bin/bash
    docker stack deploy -c docker-compose.yml volume-my
  

• stop.sh:

    #!/bin/bash
    docker stack rm volume-my
  

  Key Components Explained

  Traefik Configuration

  • Image: traefik:2.9.6 - The Traefik version used.

  • Ports: Ports 443 (HTTPS) and 8080 (Traefik dashboard).

  • Command: Defines various Traefik options, such as enabling Docker provider, setting up ACME (Let's Encrypt) for SSL, and enabling the API dashboard.

  • Volumes: Bind mounts for Let's Encrypt data and Docker socket.

  • Labels: Configure HTTP-to-HTTPS redirection and routing rules.

Whoami Service

• Image: traefik/whoami - A simple service for testing.

• Labels: Define entry points, TLS settings, routing rules, and middleware.

Running the Setup

1. Deploy the Stack: Use the run.sh script to deploy the services.

    ./run.sh
   

2. Accessing the Dashboard: Securely connect to the Traefik dashboard using SSH tunnelling.

    ssh -L 8080:localhost:8080 user@your_server_ip
   

   Then, open http://localhost:8080/dashboard/ in your browser.

Debugging and Logs

• View Running Containers:

    docker ps
  

• Watch Containers:

    watch docker ps
  

• View Logs:

    docker logs -f container_name
  

• Test Whoami Service:

    docker run -it --rm -p 8089:80 traefik/whoami
  

Conclusion

By combining Docker, Traefik, and OAuth, you can create a secure, scalable service infrastructure.

• This setup not only ensures secure communication via HTTPS but also enforces user authorization with OAuth, making your services robust and reliable.

• Happy coding!