explaingit

botpress/traefik-forward-auth

Analysis updated 2026-07-19 · repo last pushed 2022-05-05

GoAudience · ops devopsComplexity · 4/5DormantSetup · moderate

TLDR

A single sign-on gate for the Traefik reverse proxy. It puts a Google-style login screen in front of any self-hosted web app so only authorized people can access it, without writing auth code.

Mindmap

mindmap
  root((repo))
    What it does
      Blocks unauthorized visitors
      Redirects to login provider
      Sets login cookie
    How it works
      Sits behind Traefik
      Checks every request
      Forwards approved traffic
    Use cases
      Protect internal dashboards
      Secure preview environments
      Single sign-on for teams
    Tech stack
      Go
      Traefik
      Docker Swarm
      Kubernetes
    Audience
      Self-hosting teams
      Ops and DevOps
    Setup
      Traefik knowledge needed
      Flexible auth rules

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Protect internal team dashboards so only employees with a company email can access them.

USE CASE 2

Put a login gate on a preview environment to share features securely with stakeholders.

USE CASE 3

Add single sign-on to multiple self-hosted apps without building auth from scratch.

USE CASE 4

Require login for an admin panel while keeping a marketing page public on the same domain.

What is it built with?

GoTraefikDocker SwarmKubernetesOpenID Connect

How does it compare?

botpress/traefik-forward-auth42wim/fabio42wim/go-xmpp
LanguageGoGoGo
Last pushed2022-05-052018-02-042020-01-24
MaintenanceDormantDormantDormant
Setup difficultymoderatemoderatemoderate
Complexity4/53/53/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Requires a working Traefik reverse proxy setup and familiarity with Docker Swarm or Kubernetes deployment.

No license information is provided in the explanation, so usage rights are unclear.

In plain English

Traefik Forward Auth adds a Google-style "Sign in with your company email" screen in front of any web app you run behind the Traefik reverse proxy. Instead of building login pages and password databases into every internal tool your team uses, you set this up once and let Traefik block unauthorized visitors before they ever reach the app. Traefik is a traffic router that sits in front of your services. This tool acts as a checkpoint that Traefik consults on every incoming request. If a visitor isn't authenticated, the tool redirects them to an OAuth provider (Google, or any OpenID Connect system like Azure or GitHub) to sign in. Once the provider confirms their identity, the tool sets a cookie and Traefik lets the request through to your app. You can restrict access to specific email domains or individual addresses, and a single login can persist across multiple subdomains. A startup founder running internal dashboards on metrics.example.com and chat.example.com would use this to ensure only their employees can access those tools, without writing any auth code. A PM setting up a preview environment for a new feature could put it behind this gate to share securely with stakeholders. It is designed for teams that self-host apps and want single sign-on without building it from scratch. The project is notable for its flexibility: it supports multiple authentication providers, can operate across multiple domains simultaneously, and lets you define rules so auth is selectively applied (for example, requiring login for an admin panel but allowing public access to a marketing page). The README is detailed about configuration options but assumes familiarity with Traefik and deployment environments like Docker Swarm or Kubernetes, so expect a learning curve if those are new to you.

Copy-paste prompts

Prompt 1
Set up Traefik Forward Auth in front of my internal dashboard so only people with my company's Google email domain can access it. Walk me through the Traefik labels and environment variables I need.
Prompt 2
I have two apps on metrics.example.com and chat.example.com behind Traefik. Use Traefik Forward Auth to protect both with a single Google login that persists across subdomains. Show me the docker-compose and Traefik config.
Prompt 3
Configure Traefik Forward Auth to allow public access to my marketing page but require login for my admin panel on the same domain. How do I set selective auth rules?
Prompt 4
I want to use Azure Active Directory as my OpenID Connect provider with Traefik Forward Auth instead of Google. Show me the provider configuration and required environment variables.

Frequently asked questions

What is traefik-forward-auth?

A single sign-on gate for the Traefik reverse proxy. It puts a Google-style login screen in front of any self-hosted web app so only authorized people can access it, without writing auth code.

What language is traefik-forward-auth written in?

Mainly Go. The stack also includes Go, Traefik, Docker Swarm.

Is traefik-forward-auth actively maintained?

Dormant — no commits in 2+ years (last push 2022-05-05).

What license does traefik-forward-auth use?

No license information is provided in the explanation, so usage rights are unclear.

How hard is traefik-forward-auth to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is traefik-forward-auth for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.