Require auth for gwen (#71)

* Require auth with logserver_openid_client for gwen

* Add comments; cleanup whitespace

* Add ref to docs

* Clarify

base/freestanding/logs/docker-compose.ingress.yaml

@@ -10,9 +10,16 @@ services:
       - "traefik.http.routers.gwen-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
       - "traefik.http.routers.gwen-${COMPOSE_PROJECT_NAME}.tls=true"
       - "traefik.http.routers.gwen-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
+
+      # traefik forwardauth: require that requests are validated (return 200 OK) by oidc-proxy before forwarding to service
+      # https://doc.traefik.io/traefik/middlewares/http/forwardauth/
+      - "traefik.http.routers.gwen-${COMPOSE_PROJECT_NAME}.middlewares=gwen-${COMPOSE_PROJECT_NAME}-forwardauth"
+      - "traefik.http.middlewares.gwen-${COMPOSE_PROJECT_NAME}-forwardauth.forwardauth.address=http://oidc-proxy-${COMPOSE_PROJECT_NAME}:4181"
+      - "traefik.http.middlewares.gwen-${COMPOSE_PROJECT_NAME}-forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
     networks:
       - ingress
       - internal
+
   postgrest:
     labels:
       - "traefik.enable=true"
@@ -21,7 +28,8 @@ services:
       - "traefik.http.routers.logserver-${COMPOSE_PROJECT_NAME}.tls=true"
       - "traefik.http.routers.logserver-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
 
-
+      # traefik forwardauth: require that requests are validated (return 200 OK) by oidc-proxy before forwarding to service
+      # https://doc.traefik.io/traefik/middlewares/http/forwardauth/
       - "traefik.http.routers.logserver-${COMPOSE_PROJECT_NAME}.middlewares=logserver-${COMPOSE_PROJECT_NAME}-forwardauth"
       - "traefik.http.middlewares.logserver-${COMPOSE_PROJECT_NAME}-forwardauth.forwardauth.address=http://oidc-proxy-${COMPOSE_PROJECT_NAME}:4181"
       - "traefik.http.middlewares.logserver-${COMPOSE_PROJECT_NAME}-forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"