Start your containers on demand, shut them down automatically when there's no activity. Docker, Docker Swarm Mode and Kubernetes compatible.
Start your containers on demand, shut them down automatically when there's no activity. Docker, Docker Swarm Mode and Kubernetes compatible.
Middleware plugin which forwards the request IP to local Crowdsec agent, which can be used to allow/deny the request
An open source Traefik Middleware that enables Authentication via LDAP in a similar way to Traefik Enterprise. "You shall authenticate to the LDAP to pass" - Gandalpher, the gopher
Checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS.
Transform some headers with some other ones, see https://github.com/traefik/traefik/issues/6047
Verifies JWT token. Supports RSA/DSA/HMAC. Support fetching keys from JWKS endpoint. Supports Open Policy Agent (OPA) for validating the request.
By retrieving the correct real IP from single or multiple different load balancers(eg.Cloudflare), this plugin effectively prevents IP spoofing.
A traefik Plugin for securing the upstream service with OpenID Connect using the Relying Party Flow.
This plugin for Traefik allows it to authenticate requests against Keycloak. It utilizes the Keycloak's client credentials flow to retrieve an access token, which is then set as a bearer token in the Authorization cookie and as a plain token in a custom named cookie of the incoming requests. Optionally sets the Bearer token in the Authorization header. The plugin communicates with Keycloak using the OpenID Connect protocol.
DenyIP is a middleware plugin which accepts IP addresses or IP address ranges and blocks requests originating from those IPs.
DenyIP is a middleware plugin which accepts IP addresses or IP address ranges and blocks requests originating from those IPs.
When traefik is deployed behind a load balancer, it should get the real IP from the X-Forwarded-For or Cf-Connecting-Ip (if from Cloudflare) header.
Traefik plugin to proxy requests to the Snapt Nova WAAP/WAF: identify and stop bots, spammers, SQL injections, XSS attacks, DoS, and more.
Validates JWTs for access control. Fetches keys dynamically from whitelisted issuer JWKS as needed. Supports flexible claim checks with optional wildcards.
This is a Traefik middleware plugin that allows users to authenticate using GitHub OAuth. The plugin is intended to be used as a replacement for the BasicAuth middleware, providing a more secure way for users to access protected routes.
Built on top of Traefik Rewrite Body plugin to also support gzip decompress -> update -> recompress.
Middleware adding OpenID Connect (OIDC) authentication to Traefik routes. This middleware replaces the need for forward-auth and oauth2-proxy when using Traefik as a reverse proxy. It provides a complete OIDC authentication solution with features like domain restrictions, role-based access control, token caching, and more. The middleware has been tested with Auth0, Logto, Google, and other standard OIDC providers. It supports various authentication scenarios including: - Basic authentication with customizable callback and logout URLs - Email domain restrictions to limit access to specific organizations - Role and group-based access control - Public URLs that bypass authentication - Rate limiting to prevent brute force attacks - Custom post-logout redirect behavior - Secure session management with encrypted cookies - Automatic token validation and refresh
Traefik middleware plugin which forwards the request data (method, path, parameters and headers) to Open Policy Agent, which can be used to allow/deny the request
Integrate Umami into any web service. Request forwarding, script injection and server side tracking.
Checks the incoming request for specific headers and their values to be present and matching the configuration.
Traefik plugin to proxy requests to safeline waf.t serves as a reverse proxy access to protect your website from network attacks that including OWASP attacks, zero-day attacks, web crawlers, vulnerability scanning, vulnerability exploit, http flood and so on.
This plugin for Traefik allows it to authenticate requests against an OpenID Provider. It utilizes the provider's client credentials flow to retrieve an access token, which is then set as a bearer token in the Authorization header of the incoming requests. The plugin communicates with the provider using the OpenID Connect protocol (OIDC).
Getting data from MaxMind GeoIP databases and pass it downstream via HTTP request headers.
A plugin that always answer the same status code without calling a service/server. The response code can be configured.
Plugin allows to remap origin response code into specified one along with removing response body and specific headers.
This is a lightweight Traefik middleware plugin that allows users to authenticate using GitHub OAuth on specific domains or routes. This plugin requires a sidecar API server to handle the OAuth flow and to validate the JWT token.
Integrate API tokens into the request header to allow restricted access. Supports IP whitelisting.
Authenticate users based on the Common Name, DNS Names and Email Addresses of their TLS client certificate. Optionally add the username as a request header for the upstream service.
Validates JWT tokens generated by Azure and verifies the claims. Allows payload validation based on Azure roles as well.
Rewrites the HTTP request or response headers by replacing a search regex by a replacement string.
Transform some headers with some other ones, see https://github.com/traefik/traefik/issues/6047
Start your containers/services on the first request they recieve, and shut them down after a specified duration after the last request they received. Kubernetes, Docker classic and docker swarm compatible.
Challenge individual IPs in a subnet when traffic spikes are detected from that subnet, using a captcha of your choice for the challenge
This pluging will let only predefined amount users to the origin service. If the amount is exceeded the users are redirected to the "waiting room".
Exchange Cloudflare's JWT to Nomad Token and injects it as header for seamless Nomad authentication
Verify JWT Token in Auth header, Cookie or Query param, and injects decoded payload in header
Proof of concept! See if we can bait Traefik so that we decide from a custom configuration where each request should go!
Allow to rewrite host path and headers from request under a feature flag toggle from Unleash.
Traefik Disolver - Get Real Client IP from Cloudflare/AWS Cloudfront Proxy/Tunnel and other data
The Validate Headers Plugin for Traefik 2 empowers you to enforce strict header validation policies for incoming HTTP requests. With a versatile set of features, this middleware allows you to control and secure your web applications effectively.
Transforms Subsonic authentication parameters into a BasicAuth header, to be used as an adapter for ForwardAuth or to remove sensitive query parameters for Subsonic servers that handle BasicAuth.
When traefik is deployed behind a load balancer, it should get the real IP from the X-Forwarded-For or Cf-Connecting-Ip (if from Cloudflare) header.
Validates JWT tokens generated by Azure and verifies the claims. Allows payload validation based on Azure roles as well.
Pathauth is a middleware plugin to apply more detailed authorization to multiple endpoints at once. This plugin was developed to work well together with Traefik Enterprise OpenId Connection Authentication Middleware and thomseddon traefik-forward-auth
Traefik Cluster Rate Limiter: the rate limit state is stored in a central Redis server, allowing to have a rate limit shared across Traefik node/kubernetes pods
Ban IPs that make too many bad HTTP requests (ie, the response from downstream has 4-500 status codes)
This middleware forwards requests to the Open Policy Agent (OPA) for authorization. The middleware expects a boolean "allow" value from OPA and denies requests if "allow" is set to false. Configure the middleware by specifying the OPA URL.
A Middleware plugin for Traefik that serves inline content or JSON data from its configuration.
When you use Forward Auth middleware for gRPC router, you can face with a problem that external auth service return HTTP status code but can not properly process by gRPC client. This middleware solves this problem for you
Middleware plugin to prevent DDoS attacks on telegram bots limiting request by messages' telegram ids
Construct Forwarded Header from X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto incoming request headers, and appends them to outgoing request headers.
Getting data from MaxMind GeoIP databases and pass it downstream via HTTP request headers.
Header Block is a plugin to block request and response headers which regex matched by their name and/or value
Limit concurrent requests routed to services by delaying (rather than rejecting) requests over the limit. Useful for underpowered servers.
This plugin is used to enhance or replace the client-side javascript-based visitor tracking with Matomo by a server-side tracking strategy. This concept is able to bypass javascript-blocking browser addons to increase the accuracy of visitor tracking and providing more comprehensive tracking results.
A highly configurable Traefik middleware plugin that can be used to return a response inline based on the configuration without any backend / service. Responses can be configured based on absolute, prefix or regex based paths. Response status code, headers and body can be configured per matcher rule. The response body can also be dynamically generated based on go templates based on the request.
This plugin for Traefik allows autenticating requests against Keycloak. It utilizes the Keycloak's client credentials flow to retrieve an access token, which is then set as a bearer token in the Authorization cookie and as a plain token in a custom named cookie of the incoming requests. Optionally sets the Bearer token in the Authorization header. The plugin communicates with Keycloak using the OpenID Connect protocol.
Middleware plugin to block sensitive files from being accessed and display a custom error page.
The Traefik Header Based Proxy Plugin enhances these features by offering a redirection option based on header values.
This middleware sink put request directly onto an aws service like S3 or Dynamodb. Currently, only S3 is supported.
Built-in traefik middleware PassTLSClientCert let you pass many certificate parameters such as common name or serial number. But all parameter passed in one header value, so you can not get just pure certificate serial number in header. This middleware solves this problem for you. It extracts just pure SN value and put in a header
Reads headers from app service/client, adds missing headers, but not override existing headers, and forwards them to client/app service.
This plugin is used to reach a certain endpoint and to be able to propogate cookies that are provided from that endpoint back to the client. It may be a browser or a simple postman request.
Redirect based on SQLite database entries to use with https://hub.docker.com/r/vtacquet/redbase
Limits the outbound total output to a specific number of bytes. This requires the use of a local API to maintain the current total: https://github.com/AustinHellerRepo/ResetingIncrementerApi.
When traefik is deployed behind a load balancer, it should get the real IP from the x-forwarded-for header.
Checks the incoming request for specific body and their values to be present and matching the configuration.
Performs an HTTP/HTTPS request to a specified (URL, HTTP Method) and retrieves any `Set-Cookie` headers from the response. Then, the values of the `Set-Cookie` headers are concatenated and assigned to the `Cookie` header of the request that will be forwarded to the next Trafik middleware or Traefik service.
A Traefik middleware plugin that performs authentication and sets a secure cookie with the access token
The UpstreamWhenPlugin is a Traefik middleware plugin that conditionally forwards incoming HTTP requests to an upstream server based on the configuration and the status code of the upstream server's response.