Skip to main content
HashnodeLittle Software Corner

Command Palette

Search for a command to run...

Securing Services with Docker, Traefik, and OAuth: A Step-by-Step Guide

Updated
3 min read
Securing Services with Docker, Traefik, and OAuth: A Step-by-Step Guide
O
Olga Nedelcu

I'm a community-minded engineer based in Berlin, originally from Romania, and I grew up in sunny Spain. I combine the best of both communication and technical skills, with experience in both the engineering world and the business side of things. I'm proficient in a wide range of technologies like JavaScript, React.js, Redux, TypeScript, Node.js, HTML/CSS, Styled Components, SASS, and REST APIs. I love going beyond just writing code by sharing knowledge with my team through Communities of Practice (COPs), Employee Resource Groups (ERGs), and detailed technical documentation. My main interests are in frontend frameworks, web standards, accessibility (A11y), and Clean Code. My passion for programming started in high school when I built my first website. Since 2019, I've been working as a professional software developer, thriving in agile and iterative environments. Nearly five years later, I'm still excited to dive into code and collaborate with my colleagues. I'm very open and friendly, good at turning technical concepts into easy-to-understand information for everyone.

In today’s cloud-native world, securing microservices is crucial.

One effective way to achieve this is by leveraging Docker for containerization, Traefik for routing and middleware, and OAuth for authorization.

This article will walk you through the process of setting up a secure service using these technologies, providing you with a robust and scalable solution.

Understanding the Network Flow

When securing a service with Single Sign-On (SSO) using OAuth, here’s the typical flow:

  1. Client Request: A user sends a GET request to a service endpoint.

  2. Traefik Middleware: Traefik intercepts the request and forwards it to an OAuth provider for authorization.

  3. OAuth Provider: The provider checks the user’s credentials and registration status.

  4. Service Access: If the user is authorized, they gain access to the service.

Setting Up the Environment

We’ll use Docker Compose to define and manage our services. Here’s how you can set it up:

  1. Docker Compose File (docker-compose.yml):
version: '3'

services:
  traefik:
    image: traefik:2.9.6
    ports:
      - "443:443"
      - "8080:8080"
    command:
      - "--providers.docker=true"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--entryPoints.web-secured.address=:443"
      - "--certificatesResolvers.ssl-service.acme.tlsChallenge=true"
      - "--certificatesResolvers.ssl-service.acme.email=myEmail@example.com"
      - "--certificatesResolvers.ssl-service.acme.storage=/letsencrypt/acme.json"
    volumes:
      - ./volume-traefik/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web-secured"

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.entrypoints=web-secured"
      - "traefik.http.routers.whoami.tls.certresolver=ssl-service"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.http.routers.whoami.rule=Host(`service_example.com`) && PathPrefix(`/test`)"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

Start and Stop Scripts:

  • run.sh:

      #!/bin/bash
  docker stack deploy -c docker-compose.yml volume-my

  • stop.sh:

      #!/bin/bash
  docker stack rm volume-my

    Key Components Explained

    Traefik Configuration

    • Image: traefik:2.9.6 - The Traefik version used.

    • Ports: Ports 443 (HTTPS) and 8080 (Traefik dashboard).

    • Command: Defines various Traefik options, such as enabling Docker provider, setting up ACME (Let's Encrypt) for SSL, and enabling the API dashboard.

    • Volumes: Bind mounts for Let's Encrypt data and Docker socket.

    • Labels: Configure HTTP-to-HTTPS redirection and routing rules.

Whoami Service

  • Image: traefik/whoami - A simple service for testing.

  • Labels: Define entry points, TLS settings, routing rules, and middleware.

Running the Setup

  1. Deploy the Stack: Use the run.sh script to deploy the services.

     ./run.sh

  2. Accessing the Dashboard: Securely connect to the Traefik dashboard using SSH tunnelling.

     ssh -L 8080:localhost:8080 user@your_server_ip

    Then, open http://localhost:8080/dashboard/ in your browser.

Debugging and Logs

  • View Running Containers:

      docker ps

  • Watch Containers:

      watch docker ps

  • View Logs:

      docker logs -f container_name

  • Test Whoami Service:

      docker run -it --rm -p 8089:80 traefik/whoami

Conclusion

By combining Docker, Traefik, and OAuth, you can create a secure, scalable service infrastructure.

  • This setup not only ensures secure communication via HTTPS but also enforces user authorization with OAuth, making your services robust and reliable.

  • Happy coding!

#devops#oauth#containers#docker#docker-images

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Little Software Corner

20 posts