Adds basic auth example

2024-10-27 20:44:07 +00:00 · 2024-07-23 13:54:25 +01:00 · 2024-07-23 13:54:25 +01:00 · 29564dc7eb
commit 29564dc7eb
parent d75888ac03
3 changed files with 123 additions and 0 deletions
--- a/docker-compose-examples/grist-traefik-basic-auth/configs/traefik-config.yml
+++ b/docker-compose-examples/grist-traefik-basic-auth/configs/traefik-config.yml
@ -0,0 +1,35 @@
+providers:
+  # Enables reading docker label config values
+  docker: {}
+  # Read additional config from this file.
+  file:
+    directory: "/etc/traefik/dynamic"
+
+entrypoints:
+  # Defines a secure entrypoint using TLS encryption
+  websecure:
+    address: ":443"
+    http:
+      tls: true
+  # Defines an insecure entrypoint that redirects to the secure one.
+  web:
+    address: ":80"
+    http:
+      # Redirects HTTP to HTTPS
+      redirections:
+        entrypoint:
+          to: "websecure"
+          scheme: "https"
+
+# Enables automatic certificate renewal
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "my_email@example.com"
+      storage: /acme/acme.json
+      tlschallenge: true
+
+# Enables the web UI
+# This is disabled by default for security, but can be useful to debugging traefik.
+api:
+  # insecure: true
--- a/docker-compose-examples/grist-traefik-basic-auth/configs/traefik-dynamic-config.yml
+++ b/docker-compose-examples/grist-traefik-basic-auth/configs/traefik-dynamic-config.yml
@ -0,0 +1,36 @@
+http:
+  # Declaring the user list
+  middlewares:
+    grist-basic-auth:
+      basicAuth:
+        # The header that Grist will listen for authenticated usernames on.
+        headerField: "X-Forwarded-User"
+        # This is the list of users, in the format username:password.
+        # Passwords can be created using `htpasswd`
+        # E.g: `htpasswd -nB test@example.org`
+        users:
+          # The default username is "test@example.org". The default password is "test".
+          - "test@example.org:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  routers:
+    # General router for almost all Grist traffic.
+    general:
+      entrypoints:
+        - web
+        - websecure
+      rule: "HostRegexp(`.*`)"
+      service: grist@docker
+      tls:
+        certresolver: letsencrypt
+
+    # Separate Traefik router for the login pages.
+    # This allows a user to visit the site without hitting the basic auth login page.
+    login:
+      entrypoints:
+        - web
+        - websecure
+      rule: "PathPrefix(`/auth/login`) || PathPrefix(`/_oauth`)"
+      middlewares:
+        - grist-basic-auth
+      service: grist@docker
+      tls:
+        certresolver: letsencrypt
--- a/docker-compose-examples/grist-traefik-basic-auth/docker-compose.yml
+++ b/docker-compose-examples/grist-traefik-basic-auth/docker-compose.yml
@ -0,0 +1,52 @@
+# This is the simplest example of Grist with authentication and https encryption.
+
+# It uses Traefik as a reverse proxy and authentication service.
+# Users are defined in traefik-dynamic-config.yml.
+
+# This setup, after configuring HTTPS certificates correctly, should be acceptable on the public internet.
+
+# However, you may want to try a more secure authentication setup such Authelia, Authentik or traefik-forward-auth.
+
+# See https://support.getgrist.com for more information.
+
+services:
+  grist:
+    image: gristlabs/grist:latest
+    environment:
+      # Use Python 3 instead of 2.
+      PYTHON_VERSION: 3
+      # Sets the header to look at for authentication
+      GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User
+      # Forces Grist to only use a single team called 'Example'
+      GRIST_SINGLE_ORG: my-grist-team   # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
+      # Force users to login (disable anonymous access)
+      GRIST_FORCE_LOGIN: true
+      # Base URL Grist redirects to when navigating. Change this to your domain.
+      APP_HOME_URL: https://localhost
+      # Default email for the "Admin" account
+      GRIST_DEFAULT_EMAIL: test@example.org
+    volumes:
+      # Where to store persistent data, such as documents.
+      - ./grist_local_data:/persist
+    labels:
+      - "traefik.http.services.grist.loadbalancer.server.port=8484"
+
+  traefik:
+    image: traefik:latest
+    ports:
+      # HTTP Ports
+      - "80:80"
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true)
+      # - "8080:8080"
+    volumes:
+      # Set the config file for traefik - this is loaded automatically.
+      - ./configs/traefik-config.yml:/etc/traefik/traefik.yml
+      # Set the config file for the dynamic config, such as middleware.
+      - ./configs/traefik-dynamic-config.yml:/etc/traefik/dynamic/dynamic-config.yml
+      # You may want to put state somewhere other than /tmp :-)
+      - /tmp/grist/acme:/acme
+      # Traefik needs docker access when configured via docker labels.
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      - grist