{"id":18379945,"url":"https://github.com/samdbmg/ansible-traefik-auth-proxy","last_synced_at":"2026-02-19T06:03:18.028Z","repository":{"id":77014880,"uuid":"473332087","full_name":"samdbmg/ansible-traefik-auth-proxy","owner":"samdbmg","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-06T22:17:23.000Z","size":81,"stargazers_count":2,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-07T08:33:00.704Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samdbmg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-23T19:34:41.000Z","updated_at":"2026-01-07T20:14:07.000Z","dependencies_parsed_at":"2024-02-11T01:25:27.513Z","dependency_job_id":"18884a25-b8ac-44ee-b969-b32b424df0a1","html_url":"https://github.com/samdbmg/ansible-traefik-auth-proxy","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/samdbmg/ansible-traefik-auth-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samdbmg%2Fansible-traefik-auth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samdbmg%2Fansible-traefik-auth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samdbmg%2Fansible-traefik-auth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samdbmg%2Fansible-traefik-auth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samdbmg","download_url":"https://codeload.github.com/samdbmg/ansible-traefik-auth-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samdbmg%2Fansible-traefik-auth-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29604552,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T05:11:50.834Z","status":"ssl_error","status_checked_at":"2026-02-19T05:11:38.921Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T00:41:30.200Z","updated_at":"2026-02-19T06:03:18.012Z","avatar_url":"https://github.com/samdbmg.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"Traefik Auth Proxy\n==================\n\n[Ansible Role](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html) to set up the [Traefik](https://traefik.io/traefik/) HTTP reverse proxy running in Docker, along with https://github.com/thomseddon/traefik-forward-auth to allow sites to be secured using OIDC/OAuth2 and provide single sign-on (SSO).\n\nFeatures:\n- Automatic issuing of TLS certificates with LetsEncrypt et al (thanks Traefik!)\n- Easy integration with OpenID Connect \u0026 OAuth2 providers or Google for auth (thanks [thomseddon/traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth))\n- A proxy for the Docker socket to avoid exposing it directly to Traefik\n- The Traefik Dashboard deployed behind the chosen auth provider\n- [Auth Host Mode](https://github.com/thomseddon/traefik-forward-auth#auth-host-mode) so multiple sites can be hosted by the same Traefik instance without and it can be allow-listed once to get SSO.\n- Generates all the required config files from Ansible variables\n\n\nRequirements\n------------\n\nDocker needs to be available on your target (as does docker-compose) and the `docker` and `requests` Python modules.\n\nAlso requires the [community.docker](https://docs.ansible.com/ansible/latest/collections/community/docker/index.html) collection in a version \u003e= 3.6.0.\n\nRole Variables\n--------------\n\n- `proxy_domain` **(Required)**: The domain that this proxy serves subdomains of, _e.g._ `myserver.example.com`.\n- `proxy_letsencrypt_email` **(Required)**: Email address to be associated with the LetsEncrypt certificates that will be issued.\n- `proxy_enable_auth: true`: Should the forward-auth proxy be enabled?\n- `proxy_use_le_prod: false`: Should the production LetsEncrypt be used (instead of staging).\n- `proxy_network_name: traefik`: Name of the [Docker network](https://docs.docker.com/compose/networking/) that will be used by Traefik to pass traffic to containers.\n- `proxy_dashboard_domain: dashboard.{{ proxy_domain }}`: Domain on which the [Traefik Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) appears (only if auth is enabled). Set to an empty string to disable dashboard.\n- `proxy_cert_method: http`: Which [challenge](https://letsencrypt.org/docs/challenge-types/) to use for verifying domain ownership when issuing certificates. The other option is `dns`.\n- `proxy_cert_dns_provider:`: Which DNS provider is in use, from https://doc.traefik.io/traefik/https/acme/#providers. Required if using `dns` for `proxy_cert_method`.\n- `proxy_dns_provider_env_vars: []`: If using `dns` for `proxy_cert_method`, the env vars needed (e.g. access keys), as - KEY=VALUE pairs (see https://doc.traefik.io/traefik/https/acme/#providers for list of env vars).\n- `proxy_oauth_provider: oidc`: Chosen OAuth provider. One of `google` or `oidc` (see also `default-provider` option in https://github.com/thomseddon/traefik-forward-auth#option-details).\n- `proxy_auth_provider_env_vars: {}`: The set of options to pass to the auth provider, from https://github.com/thomseddon/traefik-forward-auth/wiki/Provider-Setup.\n- `proxy_requires_http: false`: Set to true to enable HTTP endpoints with traefik (rather than just redirecting to https).\n- `proxy_rules: []`: List of rules to allow more fine-grained control of auth actions\n- `proxy_config_dir: /etc/traefik_proxy`: Where the config files for Traefik will be written to.\n- `proxy_docker_dir: /etc/traefik_proxy`: Where the Docker Compose files will be written to.\n\nExample Playbook\n----------------\n\n```yaml\n- name: Set up reverse proxying with Traefik\n  hosts: webserver\n  roles:\n    - name: samdbmg.traefik-auth-proxy\n      vars:\n        proxy_domain: myserver.example.com\n        proxy_letsencrypt_email: me@example.com\n        proxy_use_le_prod: true\n        proxy_oauth_provider: oidc\n        proxy_auth_provider_env_vars:\n            PROVIDERS_OIDC_ISSUER_URL: http://some-auth-server.example.com/default\n            PROVIDERS_OIDC_CLIENT_ID: myid\n            PROVIDERS_OIDC_CLIENT_SECRET: mysecret\n```\n\nUsing the proxy\n-------------\n\nTo reverse proxy a container running in Docker Compose, use a compose file along the lines of:\n```yaml\n---\nversion: '3'\nservices:\n  webserver:\n    image: nginx\n    restart: unless-stopped\n    labels:\n      - traefik.enable=true\n      - traefik.http.routers.webserver.rule=Host(`web.myserver.example.com`)\n      - traefik.http.services.webserver.loadbalancer.server.port=80\n      - traefik.http.routers.webserver.entrypoints=websecure\n      - traefik.http.routers.webserver.tls.certresolver=default\n      - traefik.http.routers.webserver.middlewares=traefik-forward-auth\n    networks:\n      - traefik\n      - default\n\nnetworks:\n  traefik:\n    external: true\n```\n\nNote that the container must be connected to the `traefik` network, or it won't work!\n\nAlternatively to run a one-off container, try something like:\n```\ndocker run --rm \\\n  --network=traefik \\\n  -l traefik.enable=true \\\n  -l traefik.http.routers.server.rule='Host(`nginx.myserver.example.com`)' \\\n  -l traefik.http.services.server.loadbalancer.server.port=80 \\\n  -l traefik.http.routers.server.entrypoints=websecure \\\n  -l traefik.http.routers.server.tls.certresolver=default \\\n  -l traefik.http.routers.server.middlewares=traefik-forward-auth \\\n  nginx\n```\n\nRules Config\n------------\n\nTo set custom rules that apply to certain endpoints, set the `proxy_rules` variable.\n\nFor example, to allow only a specific user to access a certain host, set:\n```yaml\nproxy_rules:\n  # List of objects containing keys from the `rules` section in https://github.com/thomseddon/traefik-forward-auth?tab=readme-ov-file#option-details\n  - name: allow_only_me\n    action: auth\n    rule: Host(`example.com`)\n    whitelist:\n      - me@example.com\n```\n\nThe `name` and `rule` keys are required, `action`, `whitelist` (as a list), `domain` and `provider` are also permitted.\n\nLicense\n-------\n\nMIT\n\nAuthor Information\n------------------\n\nSam Mesterton-Gibbons \u003csam@samn.co.uk\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamdbmg%2Fansible-traefik-auth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamdbmg%2Fansible-traefik-auth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamdbmg%2Fansible-traefik-auth-proxy/lists"}