- 6 docs racine (README, HANDOVER, ARCHITECTURE, DECISIONS, INSTALL, OPERATIONS) - 9 docs thématiques dans docs/ - 10 templates docker-compose dans configs/ - 7 scripts Python/Shell d'import Furious vers Zitadel - 2 matrices RBAC Etat infra au 5 juin 2026 : - 88 users Furious importes dans Zitadel - 8 roles RBAC crees et attribues - Intranet filtre les cartes selon role (Approche A) - 7 outils SSO operationnels
55 lines
1.8 KiB
Plaintext
55 lines
1.8 KiB
Plaintext
# ============================================================================
|
|
# dynamic.yml — Configuration dynamique Traefik
|
|
# ============================================================================
|
|
# Middlewares partagés, notamment ForwardAuth pour le SSO.
|
|
|
|
http:
|
|
middlewares:
|
|
# ⭐ Middleware ForwardAuth pour l'authentification SSO via OAuth2-Proxy
|
|
# ⚠️ La ligne "- Cookie" dans authRequestHeaders est CRITIQUE
|
|
oauth2-headers:
|
|
forwardAuth:
|
|
address: "http://oauth2-proxy:4180/oauth2/auth"
|
|
trustForwardHeader: true
|
|
authRequestHeaders:
|
|
- Cookie # ← INDISPENSABLE (sans, le SSO casse)
|
|
- Authorization
|
|
- X-Forwarded-Host
|
|
- X-Forwarded-Proto
|
|
- X-Forwarded-Uri
|
|
authResponseHeaders:
|
|
- X-Auth-Request-User
|
|
- X-Auth-Request-Email
|
|
- X-Auth-Request-Preferred-Username
|
|
- X-Auth-Request-Groups
|
|
- X-Auth-Request-Access-Token
|
|
- X-Forwarded-User
|
|
- X-Forwarded-Email
|
|
- X-Forwarded-Preferred-Username
|
|
- X-Forwarded-Groups
|
|
- Authorization
|
|
|
|
# Middleware "secure headers" - bonne pratique sécurité
|
|
secure-headers:
|
|
headers:
|
|
accessControlAllowMethods:
|
|
- GET
|
|
- POST
|
|
- OPTIONS
|
|
accessControlMaxAge: 100
|
|
hostsProxyHeaders:
|
|
- "X-Forwarded-Host"
|
|
sslRedirect: true
|
|
sslHost: ""
|
|
sslForceHost: true
|
|
sslProxyHeaders:
|
|
X-Forwarded-Proto: https
|
|
stsSeconds: 63072000
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
forceSTSHeader: true
|
|
frameDeny: true
|
|
contentTypeNosniff: true
|
|
browserXssFilter: true
|
|
referrerPolicy: "strict-origin-when-cross-origin"
|