Tinyauth

Appearance

Advanced configs

Host network and traefik

When using network_mode: host in docker alongside with traefik, the redirect_uri in tinyauth will always be the app URL instead of of the actual redirect URI. This is because traefik does not respect the X-Forwarded-Host header from NAT IP addresses such as the docker internal one. This can be easily fixed by either using the following traefik config:

yaml
entryPoints:
  web:
    forwardedHeaders:
      trustedIPs:
        - 127.0.0.1/32
        - 172.16.0.0/12

Or by using the following CLI arguments:

shellscript
--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,172.16.0.0/12

See issue #35 by Aleksey

Tinyauth behind proxy

In some environments you may need to use tinyauth in another proxy and to do this securely you may have to expose it. For example you may have tinyauth on tinyauth.mydomain.com and try to use the middleware from another proxy using http://tinyauth.mydomain.com/api/auth/traefik.

In this case traefik will not respect the X-Forwarded-* headers meaning that the redirect_uri in tinyauth will always point to tinyauth's domain (so tinyauth.mydomain.com) instead of the app's domain. To fix this, you can tell traefik to trust the headers. If your setup looks like the following:

You can tell proxy 2 to trust headers from proxy 1 with the following configuration:

yaml
entryPoints:
  web:
    forwardedHeaders:
      trustedIPs:
        - 10.0.0.2

You can also configure it through CLI options:

shellscript
--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.2

See issue #134 by @eliasbenb