Blog
February 21, 2023

Achieve Zero Downtime Access Control for Your Applications

zero downtime access control

Access control secures your public-facing services and it is critical for all modern web applications. And it goes without saying that security is priority no.1 for the Traeifk Labs team and our users, that's why we provide access control as a built-in feature for Traefik Hub.

If you don’t already know our motto, Traefik Labs is on a mission to Make Networking Boring! Just providing built-in access control features wouldn’t cut it — it had to be simple and easy for the user to implement. So, we made sure Traefik Hub users could implement access control for their public-facing applications in just a few clicks, with zero downtime, and no changes to the original application.

But wait! What do you mean by “access control” and how does it work, I can hear someone asking.

Let’s take it from the beginning, shall we?

Defining access control

Access control is the mechanism you implement between your application and the outside world to control and secure who can access your application. Needless to say, access control is critical. Without it, anyone can potentially gain access to your application and try to hack your data or break your system.

Implementing access control for a single application is (almost) a piece of cake. Now, setting up access control for applications within a microservice architecture? That is a whole different monster. To properly protect your microservice applications, you need to implement access control policies for every single application in your system. Leave one application unprotected and you open a hole in your system, easily exploitable by malicious attackers.

Not to mention, choosing a way to secure your applications — Google authentication, OpenID Connect (OIDC), etc. — comes with its own configuration hustles.

That’s where Traefik Hub comes in to simplify the way you set up and implement access control.

Complicated access control mechanisms are a thing of the past

The Access Control Policy (ACP) feature in Traefik Hub is based on the forward authentication mechanism. This means that your reverse proxy, or ingress controller in Kubernetes, delegates the authentication process to the Traefik Hub agent to allow or deny access to your application.

This way you can add advanced authentication mechanisms, like OIDC or JWT, on any application — yes, even legacy apps!

When you enable an ACP on one of your services, Hub automatically configures the ForwardAuth feature on the reverse proxy you used to expose your application. ForwardAuth calls a URL on the Traefik Hub agent to validate and process the authentication workflow. Once this process is complete, and if the user is authorized, they get redirected to your application.

access control mechanism with zero downtime

Bottom line, the only thing you had to do was to configure your Access Control Policy within the Traefik Hub UI, and enjoy the fact that your services are now protected in just a few clicks — with zero configuration changes to your applications or your infrastructure!

But that’s enough talk — let’s get down to business and see the ACP feature in action. I have two examples prepared for you: a homelab setup and a production use case.

Let’s jump in.

api gateway icon dark background colorful elements
Webinar Recording: Level up Your API GameLearn how API gateways enable API-first development in a cloud native world.Watch the Recording

Access control for your homelab project

Let’s begin with a simple example of how to implement access control with Traefik Hub. In this example, I will show you how to publish a basic homelab project. For this example, I am using a simple motion-detecting application. To keep it simple, in my example I will only use this app to expose my camera. You can also configure the app to detect motion on your camera but we will not use this feature here.

Before we get started, make sure you have the following installed on your machine:

  • Docker
  • docker-compose

Create your Traefik Hub cluster with docker-compose

The first thing you need to do is to create your Traefk Hub account and install your first Traefik Hub Agent.

unnamed--7-

Once the agent is installed, you can deploy the Traefik Hub Agent in your cluster. In this example, I am using the docker-compose mode. Copy and paste the proposed docker-compose command to deploy all this directly in your cluster.

Now let’s create the configuration file for our motion application to expose the first camera. Create a motion.conf file with this content:

stream_port 8080
stream_localhost off

Then, we add our application in the ./docker-compose-hub-agent.yaml file created by this command.

# start the motion project (with privileged: true to simplify the camera configuration)
  motion:
	image: motionproject/motion:latest
	volumes:
	- ./motion.conf:/usr/local/etc/motion/motion.conf
	privileged: true

Now let’s reload the docker-compose project:

docker-compose -f ./docker-compose-hub-agent.yaml up -d

Note I: Here, for the sake of simplicity, I use the same docker-compose for both my Traefik Hub Agent, Traefik Proxy, and MyApp. If you want to use a different docker-compose for each, don't forget to add the motion network on the Traefik Proxy container to allow Traefik Proxy to contact MyApp.

Note II: If you already have a Traefik Proxy instance installed, you can add the Traefik Hub configuration and reuse it instead of deploying a new one.

Publish your app

To publish your application, click on the Service name that represents your application, then click the Publish the service button.

unnamed--4-
unnamed--8-

Finally, type the port we configured for our motion application, 8080, in the Service Port field, and click Save and Publish to publish your application.

unnamed--3-
unnamed--6-

Go to the URL Traefik Hub published for you, and you should see your camera.

If you take a look at the URL, you may notice that it uses HTTPS with a valid certificate for your domain. However, this URL is not protected at all. To keep malicious individuals from watching your camera, you need to set an Access Control Policy.

Set up access control with OIDC to protect your service

For this application, let’s add an ACP with OIDC and Google.

First, go to https://console.cloud.google.com/apis/credentials and create an OAuth client ID in the Create credentials section.

unnamed--2-
unnamed--5-

Note: You need to configure the redirect URL with the domain of your published service followed by /callback.

unnamed--1-

Now head back to the Traefik Hub and create your new ACP using the OIDC method. In the Provider field, select OIDC Google. Fill out the Client ID and Client Secret with the info you got from Google Credentials, and configure the redirect URL with /callback (the path we configured in Google Credentials).

unnamed

Add the users you want to authorize to access your application and save the ACP.

unnamed--14-
unnamed--15-

All is done! Your service is published and secured thanks to your OIDC Access Control Policy.

Publish and secure your production API

Implementing access control for a simple homelab project was insanely simple, right? Now, let’s take it up a notch! Taking our example from your homelab to your production environment, let’s say you have a Kubernetes cluster with a service you want to publish and secure.

Before we get started, make sure you have your Kubernetes cluster up and running.

Create your Traefik Hub cluster with Kubernetes

Create your Hub cluster, just as we did earlier, choose the Kubernetes platform, and apply all the relevant snippets. This will deploy the Traefik Hub Agent and Traefik Proxy as the ingress in your cluster.

Here’s an example of a service:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: whami
  name: whoami
spec:
  replicas: 3
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
      - image: traefik/whoami
        name: whoami
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  ports:
  - name: web
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: whoami

The only thing you have to do now is to find your service in the Traefik Hub UI and publish it.

unnamed--18-

You can verify that it works with a curl call.

unnamed--19-

Excellent! Now that your service is publicly available, let’s secure it with an ACP.

Set up access control with JWT to protect your service

In this example, we will secure our service with the JWT Token Mechanism. Click on the Add Access Control and select Create New ACP. Here, we’ll create a new JWT policy with a signing secret.

unnamed--12-
unnamed--9-

You can now add some forward headers, based on the claim you will add in the JWT token (see the step below).

unnamed--10-

Now let’s try to call this service without a JWT Token.

unnamed--11-

Indeed, we are not authorized to call this URL. Let’s add the JWT token. You can generate the JWT Token on jwt.io with a claim for name and the right signing secret. Then call the URL and add the Authorization Header.

unnamed--13-

Bonus round I

So, we just published a service and secured using ACP and we did so through Traefik Hub’s tunneling mechanism.

But ACPs in Traefik Hub don’t necessarily have to use this tunneling mechanism. If you already have an ingress controller and an ingress set up to publish your service, you can add ACPs to your already existing ingress directly in the Traefik Hub UI.

unnamed--16-
unnamed--17-

As you can see, when I tried to call the URL defined in my ingress, the JWT token and headers from the claim were automatically forwarded.

Bonus round II

If you don’t want to use the Traefik Hub UI, but still want to take advantage of Traefik Hub’s ACP feature, you can use the AccessControlPolicy CRD directly in your cluster and apply it with the kubectl command.

apiVersion: hub.traefik.io/v1alpha1
kind: AccessControlPolicy
metadata:
  name: jwt
spec:
  jwt:
    forwardHeaders:
      name: name
    signingSecret: my signing secret

Then you can add an annotation on your ingress to apply this ACP on your ingress
hub.traefik.io/access-control-policy:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-whoami
  annotations:
      hub.traefik.io/access-control-policy: jwt

spec:
  rules:
    - host: whoami.localhost
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: whoami
                port:
                  number: 80

Conclusion

And that’s how you do it!

Simple and fast, Traefik Hub helps you secure your publicly available applications in, literally, a few clicks. If you want to learn more about the power of Traefik Hub, we have a bunch of resources that I recommend you check out:

If you want to jump right in and start trying it out yourself, create your free account today!

api gateway icon dark background colorful elements
Level up Your API Game Join our webinar and learn how an API gateway enables API-first development in a cloud native world.Register Today

About the Author

Latest from Traefik Labs

Implementing Runtime API Governance in Traefik Hub
Blog

Implementing Runtime API Governance in Traefik Hub

Read more
Top Five Policies for Runtime API Governance
Blog

Top Five Policies for Runtime API Governance

Read more
Seamlessly Add Advanced Capabilities to Traefik OSS
Webinar

Seamlessly Add Advanced Capabilities to Traefik OSS

Watch now

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.