search
githubEdit

Forward auth

Defguard supports forward autharrow-up-right integration with popular reverse proxies (tested with traefikarrow-up-right and caddyarrow-up-right). This allows you to use Defguard to secure services which don't provide their own authorization or OAuth integration.

circle-exclamation

In order for forward auth to work the services you are trying to protect must be available at URLs within the same base domain as your Defguard instance.

For example if you are serving your Defguard UI at id.yourdomain.com, then your services must use other subdomains of yourdomain.com, e.g. app1.yourdomain.com, `service.yourdomain.com` etc.

Additionally you have to update your Defguard config to set the cookies domain to yourdomain.com.

hashtag
Example configurations

For brevity, all of the examples below assume you are hosting your Defguard instance at defguard.yourdomain.com.

We'll use a basic whoamiarrow-up-right container as an example service, which will be available at whoami.yourdomain.com.

hashtag
Traefik

hashtag
docker-compose.yml

version: "3"

services:
  traefik:
    image: traefik:v2.9
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80" # HTTP port
      - "8080:8080" # Web UI port
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.middlewares.defguardauth.forwardauth.address=http://defguard.yourdomain.com/api/v1/forward_auth"
      - "traefik.http.routers.whoami.middlewares=defguardauth"

hashtag
Caddy

hashtag
Caddyfile

hashtag
docker-compose.yml

PreviousSSH AuthenticationNextYubiKey Provisioning

Last updated