Add oauth2-proxy middleware for OVIS services in ovis-compose.yml

Introduced a new service, `ovis-traefik-forward-auth`, to handle authentication via oauth2-proxy. Updated Traefik routing for existing services to integrate the new middleware, ensuring secure access control. Adjusted logging in ovis-setup.sh to reflect the addition of the oauth2-proxy middleware in the OVIS setup process.
2026-04-01 01:00:16 +02:00 · 2026-03-26 09:04:42 +01:00
parent d955627da7
commit 55d629c343
2 changed files with 41 additions and 4 deletions
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@@ -1,6 +1,43 @@
 version: "3.7"

 services:
+  ovis-traefik-forward-auth:
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
+    environment:
+      - http_proxy=http://forward_proxy:3128
+      - https_proxy=http://forward_proxy:3128
+      - OAUTH2_PROXY_PROVIDER=oidc
+      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
+      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
+      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_ovis
+      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_COOKIE_REFRESH=4m
+      - OAUTH2_PROXY_COOKIE_EXPIRE=24h
+      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
+      - OAUTH2_PROXY_REVERSE_PROXY=true
+      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_UPSTREAMS=static://202
+      - OAUTH2_PROXY_EMAIL_DOMAINS=*
+      - OAUTH2_PROXY_SCOPE=openid profile email
+      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
+      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
+      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
+      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
+      - "traefik.http.routers.ovis-traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-ovis`)"
+      - "traefik.http.routers.ovis-traefik-forward-auth.tls=true"
+      - "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.address=http://ovis-traefik-forward-auth:4180"
+      - "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.authResponseHeaders=Authorization"
+    depends_on:
+      forward_proxy:
+        condition: service_healthy
+
  ovis-backend-database-mongodb:
    image: docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest
    container_name: bridgehead-ccp-ovis-mongo
@@ -47,11 +84,12 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.ovis-backend.rule=PathPrefix(`/graphql`)"
      - "traefik.http.routers.ovis-backend.tls=true"
+      - "traefik.http.routers.ovis-backend.middlewares=traefik-forward-auth-ovis"
      - "traefik.http.routers.ovis-backend.service=ovis-backend"
      - "traefik.http.routers.ovis-backend-ccp.rule=PathPrefix(`/ccp-ovis/graphql`)"
      - "traefik.http.routers.ovis-backend-ccp.tls=true"
      - "traefik.http.middlewares.ovis-backend-ccp-strip.stripprefix.prefixes=/ccp-ovis"
-      - "traefik.http.routers.ovis-backend-ccp.middlewares=ovis-backend-ccp-strip"
+      - "traefik.http.routers.ovis-backend-ccp.middlewares=ovis-backend-ccp-strip,traefik-forward-auth-ovis"
      - "traefik.http.routers.ovis-backend-ccp.service=ovis-backend"
      - "traefik.http.services.ovis-backend.loadbalancer.server.port=4001"

@@ -68,6 +106,5 @@ services:
      - "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.permanent=true"
      - "traefik.http.routers.ovis-frontend-ccp.tls=true"
      - "traefik.http.routers.ovis-frontend-ccp.rule=PathPrefix(`/ccp-ovis`)"
-      - "traefik.http.middlewares.ovis-frontend-ccp-strip.stripprefix.prefixes=/ccp-ovis"
-      - "traefik.http.routers.ovis-frontend-ccp.middlewares=ovis-frontend-ccp-slash-redirect,ovis-frontend-ccp-strip"
+      - "traefik.http.routers.ovis-frontend-ccp.middlewares=ovis-frontend-ccp-slash-redirect,traefik-forward-auth-ovis"
      - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173"
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -e

 if [ -n "$ENABLE_OVIS" ]; then
-  log INFO "OVIS setup detected -- will start OVIS services."
+  log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
  OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
 fi