{"id":15490964,"url":"https://github.com/gbirke/traefik-sessionauth","last_synced_at":"2025-07-13T18:41:40.606Z","repository":{"id":137847530,"uuid":"420400425","full_name":"gbirke/traefik-sessionauth","owner":"gbirke","description":"A session-based authentication app for Traefik's forwardAuth middleware","archived":false,"fork":false,"pushed_at":"2021-12-05T14:21:42.000Z","size":65,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-28T16:34:42.011Z","etag":null,"topics":["authentication","session-cookie","traefik"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gbirke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-23T12:01:59.000Z","updated_at":"2021-12-05T14:21:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"4ef0068c-1d69-46d7-92ba-e5a81efc795f","html_url":"https://github.com/gbirke/traefik-sessionauth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gbirke/traefik-sessionauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbirke%2Ftraefik-sessionauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbirke%2Ftraefik-sessionauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbirke%2Ftraefik-sessionauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbirke%2Ftraefik-sessionauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gbirke","download_url":"https://codeload.github.com/gbirke/traefik-sessionauth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbirke%2Ftraefik-sessionauth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265189369,"owners_count":23725218,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","session-cookie","traefik"],"created_at":"2024-10-02T07:42:06.480Z","updated_at":"2025-07-13T18:41:40.566Z","avatar_url":"https://github.com/gbirke.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Traefik-sessionauth\n\nThis is a small application that acts as an end point for the Traefik\nforwardAuth middleware, authenticating users with a cookie and a\npassword-based login. You don't need any OAuth/based external services.\nThink of it as \"basic auth middleware without the browser popup\".\n\n## Configuration\n\nCopy the `env.template` file to `.env` and edit it. There are two\nimportant settings, `COOKIE_DOMAIN` and `USERS`:\n\n`COOKIE_DOMAIN` is the top-level domain that's shared between the\napplication you want to secure and the login page. For example, if you\nhave the domains `app.example.com` and `auth.example.com` the\n`COOKIE_DOMAIN` should be `example.com`.\n\n`USERS` is a space-separated list of user names and passwords (separated\nwith a colon). You must hash passwords with PHPs `password_hash`\nfunction. To hash a password on the command line you can run the following\ncommand:\n\n    php -r 'echo password_hash(\"your_password_here\", PASSWORD_DEFAULT);'\n\nWith the setting `SESSION_LIFETIME` you can change how long the session\npersists between page interactions. Whenever Traefik queries the \nauthentication of the logged in user, the application sets the session\nexpiry to the current time plus lifetime. The default lifetime is 30\nminutes (1800 seconds).\n\n### Overriding templates\n\nIf you want to show some branding on your page, use different styling or\nwording, you can edit the files in the [`templates`](templates/)\ndirectory.\n\nThe file [`docker-compose.fullexample.yml`](docker-compose.fullexample.yml)\nshows and example how to use docker volume mounts to override templates\n\n## Running the application\n\nRun `docker-compose up` to run the application as a standalone application\non [localhost:8090](http://localhost:8090/). On its own, it's not very\nuseful but you can use the `docker-compose.yml` setup for development or\nto try out the functionality without a Traefik setup.\n\n### Building the docker image\nThe Dockerfile in `docker/app/Dockerfile` is a \n[multi-stage](https://docs.docker.com/develop/develop-images/multistage-build/)\nDockerfile that returns a production-ready image (using opcache and PHP\nproduction settings). The `docker-compose.yml` file builds the development\nimage without opcache.\n\n## Traefik setup\n\nIn the file [`docker-compose.fullexample.yml`](docker-compose.fullexample.yml)\nyou can find a full example of how to use the app:\n\n* A **Traefik** container, configured to serve on port 80.\n* The **authentication app**, running as a PHP-FPM service.\n* An **Nginx** web server, running two sites:\n  * `site.example.docker` serves a single static page\n  * `auth.example.docker` is a reverse proxy for the authentication\n      application\n\nThe single Nginx configuration is for efficiency reasons, you could also\nput the authentication app behind a second Nginx or a different web server\nthat acts as a FastCGI proxy.\n\nTo test the example on you local machine, you need to add the following\nentries to your `/etc/hosts` file:\n\n    127.0.0.1 monitor.example.docker\n    127.0.0.1 site.example.docker\n    127.0.0.1 auth.example.docker\n\n### Request handling for the protected site\n```\n Request for                                         +---------------------+\n site.example.docker                 Show if OK      |                     |\n---------------------\u003e ForwardAuth -----------------\u003e| site.example.docker |\n                       |       ^                     |                     |\n                       |       |                     +---------------------+\n                       |       |\n                       |       |\n                       |       | OK or redirect to auth.example.docker/login\n                       |       +------------------------------+\n                       |                                      |\n                       |                             +---------------------+\n                       |                             |                     |\n                       |        OK to access?        | auth.example.docker|\n                       +---------------------------\u003e |                     |\n                                                     +---------------------+\n```\n\n### Pitfalls to look out for when configuring for your own site\n\nMake sure you're using the right protocol for the forwardAuth middleware\naddress! If you set it to `http` and your authentication URL is `https`,\nevery forwardAuth request will fail, even when you're logged in, because\nTraefik will redirect to the HTTPs protocol, which looks like a failure to\nforwardAuth.\n\n## Development\n\nTo use the pre-commit git hooks, run\n\n    vendor/bin/captainhook install\n\n## Possible future features\n* Make base path of auth configurable and concat base path with routes.\n* Use encrypted cookies instead of session - this will make the app\n\tstorage-independent and allows for longer-lasting authentication.\n* Add Page titles (Login page and index page) to config\n* Unit tests and static analysis (see\n    https://odan.github.io/2020/06/09/slim4-testing.html for how to test)\n* Add CI (GitHub Actions) to test and build Docker image\n* Expose more session configuration\n* Support for CORS headers instead of central cookie domain\n* \"Remember me\" cookie for more independence from PHP sessions\n* Describe PHP session tuning for longer-lived sessions and using\n    different storage mechanisms\n* Rewrite in Go to get rid of the need for a FastCGI proxy.\n* Serve SVG image badge that shows login status. Configurable SVG template\n\tto allow perfect integration in site.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgbirke%2Ftraefik-sessionauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgbirke%2Ftraefik-sessionauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgbirke%2Ftraefik-sessionauth/lists"}