├── .gitignore ├── CHANGELOG-zh.md ├── CHANGELOG.md ├── CHECKSUM.md ├── LICENSE ├── README-en.md ├── README.md ├── example ├── docker │ ├── .env │ └── docker-compose.yml ├── howto-define-different-auth │ ├── .env │ └── docker-compose.yml ├── howto-use-gitea │ ├── .env │ ├── docker-compose.yml │ └── gitea-sso-example.png ├── howto-use-lic-file │ ├── .env │ ├── docker-compose.yml │ └── my.lic ├── howto-use-outline │ └── README.md └── howto-use-traefik │ ├── .env │ └── docker-compose.yml └── snapshots └── gui.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | demo 3 | -------------------------------------------------------------------------------- /CHANGELOG-zh.md: -------------------------------------------------------------------------------- 1 | # 变更日志 2 | 3 | ## 1.1.6-2021.09.22 4 | 5 | - [改进] 支持优雅退出,提升程序重新部署效率。 6 | 7 | ## 1.1.5-2021.09.04 8 | 9 | - [新增] 开放 Outline 接口,支持 Outline 私有化部署使用。 10 | 11 | ## 1.1.4 - 2021.08.20 12 | 13 | - [新增] 提升默认使用体验,区分系统登录和授权登录两种状态,默认不强制用户首次登录必须查看用户信息,根据用户登录状况判断是否需要自动返回请求地址。 14 | 15 | ## 1.1.3 - 2021.08.20 16 | 17 | - [新增] 新增 Traefik Forward Auth 专用 API 地址 `/api/traefik/auth` ,之前的 API `/api/traefik-auth-user` 将于未来进行废弃。 18 | - [新增] 通用用户信息 API 中新增 `id`, `email`, `nickname` 三个字段,方便对接外部应用。 19 | - [调整] OTP KEY 持久化参数使用数值调整,对于用户直接展示可以使用的 OTP Secret,方便用户在某些时候可以使用手动添加的方式使用。 20 | - [调整] 首次设置 OTP 使用的二维码进行调整,默认会携带当前服务器名称,方便用户在 OTP 工具上进行区分。 21 | 22 | ## 1.1.2 - 2021.08.18 23 | 24 | - [修正] 由 1.1.1 引入的未能正确识别用户变量,导致不能正确登录的问题。 25 | 26 | ## 1.1.1 - 2021.08.12 27 | 28 | - [新增] 新增可选的 CLIENT1至5 配置参数,允许使用不同的授权参数对接不同的应用。 29 | 30 | ## 1.1.0 - 2021.08.12 31 | 32 | - [新增] 新增 OTP KEY 持久化参数,允许用户使用固定 OTP KEY 作为校验手段。 33 | - [新增] 新增 Gitea SSO 配置示例。 34 | - [改进] 简化程序尺寸及模版渲染方式,依赖模块细节实现。 35 | - [修正] 修正 OAuth 授权时出现的问题。 36 | 37 | ## 1.0.0 - 2021.08.11 38 | 39 | > 让程序运行更简单一些,仅需要配置四个参数,即可体验开箱即用的 SSO 服务。 40 | 41 | - [新增] 支持根据指定路径加载授权协议。 42 | - [改进] 简化参数配置,SESSION_SECRET 参数默认会使用足够强的随机字符串自动填充。 43 | - [改进] 简化参数配置,CLIENT_NAME 参数默认不需要配置,默认使用用户指定的服务名称。 44 | - [改进] 简化参数配置,PORT 参数默认不需要配置,容器内默认使用 `80` 端口,方便容器网络环境内部调用。 45 | - [改进] 改进服务启动时输出内容: 46 | - 明确程序授权使用范围,针对博客读者提供单用户无限制服务。 47 | - 默认输出脱敏后的,当前应用使用的配置信息。 48 | - [调整] 调整 Docker 容器名称以及版本号,缩短应用容器名称。 49 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG 2 | 3 | ## 1.1.6-2021.09.22 4 | 5 | - [Improvement] Support graceful exit and improve the efficiency of program redeployment. 6 | 7 | ## 1.1.5-2021.09.04 8 | 9 | - [New] Open the Outline API and support the Outline Self-Hosted. 10 | 11 | ## 1.1.4-2021.08.20 12 | 13 | -[New] Improve the default user experience, distinguish the two states of system login and authorized login. By default, users are not forced to check user information for the first login, and judge whether the requested address needs to be automatically returned according to the user's login status. 14 | 15 | ## 1.1.3 - 2021.08.20 16 | 17 | -[New] Added Traefik Forward Auth dedicated API address `/api/traefik/auth`, the previous API `/api/traefik-auth-user` will be obsolete in the future. 18 | -[New] Three fields, `id`, `email`, and `nickname`, are added to the general user information API to facilitate connection with external applications. 19 | -[Adjustment] The OTP KEY persistence parameters are adjusted with numerical values. The user can directly display the OTP Secret that can be used, so that the user can use it by adding it manually at certain times. 20 | -[Adjustment] Set the QR code used by OTP for the first time to adjust. By default, it will carry the current server name, which is convenient for users to distinguish on the OTP tool. 21 | 22 | ## 1.1.2 - 2021.08.18 23 | 24 | -[Fixed] The problem that the user variable introduced by 1.1.1 failed to correctly identify the user could not log in correctly. 25 | 26 | ## 1.1.1-2021.08.12 27 | 28 | -[New] Added optional CLIENT1 to 5 configuration parameters, allowing different authorization parameters to connect to different applications. 29 | 30 | ## 1.1.0-2021.08.12 31 | 32 | -[New] Added OTP KEY persistent parameters, allowing users to use fixed OTP KEY as a verification method. 33 | -[New] Added Gitea SSO configuration example. 34 | -[Improvement] Simplify the program size and template rendering method, relying on module details. 35 | -[Fix] Fix the problem of OAuth authorization. 36 | 37 | ## 1.0.0-2021.08.11 38 | 39 | > Make the program run easier, only need to configure four parameters, you can experience the out-of-the-box SSO service. 40 | 41 | -[New] Support loading license agreement according to specified path. 42 | -[Improved] Simplify the parameter configuration, the SESSION_SECRET parameter will be automatically filled with a strong enough random string by default. 43 | -[Improved] Simplify the parameter configuration, the CLIENT_NAME parameter does not need to be configured by default, and the service name specified by the user is used by default. 44 | -[Improvement] Simplified parameter configuration, PORT parameters do not need to be configured by default, and port `80` is used by default in the container, which is convenient for internal calls in the container network environment. 45 | -[Improved] Improve the output content when the service starts: 46 | -Clarify the scope of authorized use of the program, and provide single-user unlimited services for blog readers. 47 | -The configuration information used by the current application after desensitization is output by default. 48 | -[Adjustment] Adjust the Docker container name and version number, and shorten the application container name. -------------------------------------------------------------------------------- /CHECKSUM.md: -------------------------------------------------------------------------------- 1 | # CHECKSUM 2 | 3 | | Version | Fingerprint | Docker ID | 4 | | --- | --- | --- | 5 | | soulteary/sso-server:1.1.6 | 060d0706d05dabd66bbc94b858b481763c310cfb3702ffce0a87c3f857b26327 | dbf19912a279dd02c2c18a152ce5b61bd088845f194f693baa924a10eddb96e6 | 6 | | soulteary/sso-server:1.1.5 | 060d0706d05dabd66bbc94b858b481763150ef669078dfa92e9e0c76b1758bf8 | 2cf9ba5e79fb47cbd768381e4ba7e34a1d446a5495bf4c5e32d283ee00360738 | 7 | | soulteary/sso-server:1.1.4 | 060d0706d05dabd66bbc94b858b481765d6210607869314b7778c67cddd2ba91 | 38256b86d89fb9fb9cd6612da72a5de2e703a52c3087bef448927ffb36a58392 | 8 | | soulteary/sso-server:1.1.3 | 060d0706d05dabd66bbc94b858b481760216f6ae12b36ac19357385c4afe3777 | 51e4fb0b6cc99d6245ac17b7ff23e59a0560696b8dad520dd36e78faf07c5ccb | 9 | | soulteary/sso-server:1.1.2 | 060d0706d05dabd66bbc94b858b48176fd0d285ac58416ac052e577b261e5a3d | e95fa1b6066cf964f9596b8d572db2a0024b1f3029bc34fa03fe721cb5ea30b4 | 10 | | soulteary/sso-server:1.1.1 | 060d0706d05dabd66bbc94b858b481765a08d4b79ffbc7d939a96db4f6a46d6b | 7c7fa08a707acc6999d1e25cf14d3dd00d397f747e8a9dcb22868707f849f7e4 | 11 | | soulteary/sso-server:1.1.0 | 060d0706d05dabd66bbc94b858b4817651fc771139b3323018d9c1eeb1d9794c | f093c6ab5e825767957c60dfc8f580c7e267e1b7c365062e58fb15a726442c6d | 12 | | soulteary/sso-server:1.0.0 | 060d0706d05dabd66bbc94b858b48176079287862e8111f46ee08a00e80a130d | 979fa1fc30364647e366c0d0448c38924ad7776a057fd8623ee87e5868941565 | 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README-en.md: -------------------------------------------------------------------------------- 1 | # Docker SSO Server 2 | 3 | Self-Hosted SSO Service, Simplify login authentication operations and support OTP login. 4 | 5 | This program can also be used as the backend of traefik forward auth. 6 | 7 | [中文文档](./README-zhCN.md) | [CHANGELOG](./CHANGELOG.md) 8 | 9 | ## Snapshots 10 | 11 | As a simple and lightweight program, it only has four GUIs: Login, OTP Login, OTP Binding, Account Page 12 | 13 | ![GUI](./snapshots/gui.png) 14 | 15 | ## Docker 16 | 17 | Try to run a private service in a few seconds: 18 | 19 | ```bash 20 | docker run -d --name=sso-server \ 21 | -e CLIENT_NAME="YOUR OWN SSO SERVER" \ 22 | -e CLIENT_ID="YOUR_OAUTH_CLIENT_ID" \ 23 | -e CLIENT_SECRET="YOUR_OAUTH_CLIENT_SECRET" \ 24 | -e USER_PASS="password" \ 25 | -p 3000:80 soulteary/sso-server:1.1.5 26 | ``` 27 | 28 | Open `http://localhost:3000/login`, you will see the login screen. 29 | 30 | For user login, default username is `username` (without quotes), the password is set by `USER_PASS` variable, the password in the example is `password`. 31 | 32 | Note: The contents of the `username` and `user_email` fields used by the service will be initialized according to the "license file" by default. You can read the "Configuration File" below and refer to the sample file to understand how to use the authorization file. You can define your `username` and `email address` by self-generating an authorization file, [click here to generate online](https://readers-lic-gift.suyang.wiki/). 33 | 34 | ## API && Router 35 | 36 | There are two routes that users need to pay attention to: 37 | 38 | - Router 39 | - Login Page: `/login` 40 | - Logout Page: `/logout` 41 | 42 | There are two more routes you may need to know, but they are not important: 43 | 44 | - Router 45 | - Health Check: `/health` 46 | - Account Page: `/account` 47 | 48 | Currently the program supports five commonly used APIs: 49 | 50 | - API 51 | 1. User Logout: `/logout` 52 | 2. OAuth Token: `/oauth/token` 53 | 3. OAuth User Info: `/api/userinfo`, 54 | 4. OAuth Client Info: `/api/clientinfo`, 55 | 5. Traefik Forward Auth: `/api/traefik-auth-user` 56 | 6. Outline user information: `/api/outline/oidc` 57 | 58 | Under normal circumstances, you don’t need to know how to use them, you just need to fill in them in the system you need to authenticate, like this: 59 | 60 | ```ini 61 | tokenURL = 'http://host-name-or-ip/oauth/token' 62 | authorizationURL = 'http://host-name-or-ip/dialog/authorize' 63 | profileUrl = 'http://host-name-or-ip/api/userinfo' 64 | ``` 65 | 66 | ## Fingerprint 67 | 68 | In order to ensure the safety of the program, when the program is started, a unique check value will be output. 69 | 70 | **If the value does not match the list below, please do not continue to run the program.** 71 | 72 | - Version: **soulteary/sso-server:1.1.5** 73 | - Fingerprint: `060d0706d05dabd66bbc94b858b481763c310cfb3702ffce0a87c3f857b26327` 74 | - Docker Image: `dbf19912a279dd02c2c18a152ce5b61bd088845f194f693baa924a10eddb96e6` 75 | 76 | View all fingerprints of [History Version](./CHECKSUM.md). 77 | 78 | ## Login mode support 79 | 80 | - OAuth2 81 | - OTP 82 | - (TBD) L2TP 83 | 84 | ## Resource usage 85 | 86 | - CPU USAGE: <1% 87 | - MEM USAGE: ~15MiB 88 | 89 | ## Config (`.env` file) 90 | 91 | In order to ensure that the program can run correctly, we need to define some variables, Most configurations are optional.(Can be ignored) 92 | 93 | | Environment variable | Optional | Example | Default | Note | 94 | | --- | --- | --- | --- | --- | 95 | | **USER_PASS** | NO | `YOUR_PASS_WORD` | `password` | The account password. | 96 | | **CLIENT_ID** | NO | `YOUR_CLIENT_ID` | `SjVN7VhgOsku` | Client ID used for OAuth2 authorization | 97 | | **CLIENT_SECRET** | NO | `YOUR_CLIENT_SECRET` | `t3Qt89nv9u5O` | Client Secret used for OAuth2 authorization | 98 | | CLIENT_ISTRUSTED | YES | `true` | `false` | If it is true, the user information can be used without the user's explicit authorization. | 99 | | CLIENT_NAME | YES | `My CLIENT NAME` | `GENERAL SSO SERVER` | Only used for page or command line information display. If not set, will try to use the `SERVER_NAME` variable. | 100 | | SERVER_NAME | Yes | `My SSO Server` | `SSO Server` | Only used for OTP tool, Web page or command line information display | 101 | | PORT | Yes | `8080` | `80` | Program listening port in the docker | 102 | | OTP_OPTION | Yes | `KEY:MIZUSR2ZJZTWUSDY;PERIOD:30` | empty | The OTP parameters specified by the user can be obtained on the user page after the first binding | 103 | | SESSION_SECRET | Yes | `iWoupoFYZ9Ud` | `RANDOM STRING()` | Only used for page or command line information display | 104 | | SERVER_DOMAIN | Yes | `sso.example.com` | empty | Only required in Traefik docker-compose.yml file | 105 | | LICENSE | Yes | `...(huge text)` | `PRESET_LICENSE_TEXT` | The content of the user license agreement, and `LICENSE_FILE` can choose one to use | 106 | | LICENSE_FILE | Yes | `/app/my.lic` | empty | The file path of the user license agreement file, and `LICENSE` can choose one to use | 107 | 108 | ### Differentiate authorization for different applications 109 | 110 | If you need to set different authorization parameters for different applications, you can use a `CLIENT_*` series of parameters. 111 | 112 | | Environment variable | Optional | Example | Default | Note | 113 | | --- | --- | --- | --- | --- | 114 | | CLIENT_1_ID | YES | `YOUR_CLIENT_ID` | `SjVN7VhgOsku` | The function is the same as `CLIENT_ID`, which is specified separately for a certain application or a certain type of application | 115 | | CLIENT_1_SECRET | YES | `YOUR_CLIENT_SECRET` | `t3Qt89nv9u5O` | The function is the same as `CLIENT_SECRET`, which is specified separately for a certain application or a certain type of application | 116 | | CLIENT_1_ISTRUSTED | YES | `true` | `false` | The function is the same as `CLIENT_ISTRUSTED`, which is specified separately for a certain application or a certain type of application | 117 | | CLIENT_1_NAME | YES | `My CLIENT NAME` | `GENERAL SSO SERVER` | The function is the same as `CLIENT_NAME`, which is specified separately for a certain application or a certain type of application | 118 | 119 | The current program supports `1` to `5`, so we can define five different applications, which are enough for general scenarios. 120 | 121 | 122 | ## Example 123 | 124 | The docker example can be viewed [here](./example). 125 | 126 | The default account: 127 | 128 | - username: `username` 129 | - password: `password` 130 | 131 | In order to further improve the security of the program, when the default service restarts, you need to scan the code again to set the OTP verification of the account. This default behavior allows you to change it by setting the fixed `OTP_OPTION`. 132 | 133 | ## Option: Outbound Restriction 134 | 135 | This project does not need to use an external network. If you are not worried about this program, you can refer to the following method to restrict the program from accessing external network data. 136 | 137 | https://github.com/francoisruty/fruty_docker-outbound-restriction 138 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 单点登录服务 2 | 3 | 一个简单、轻量支持自托管的单点登录服务,用于简化登录认证操作,支持 OTP 方式登录,同时可以作为 `Traefik Forward Auth` 后端使用。[变更日志](./CHANGELOG-zh.md) 4 | 5 | For English users: [ENGLISH VERSION](./README-en.md). 6 | 7 | ## 程序截图 8 | 9 | 作为一个简单的轻量级程序,它只有四个图形界面:登录、OTP登录、OTP绑定、帐户页面。 10 | 11 | ![用户界面](./snapshots/gui.png) 12 | 13 | ## Docker 14 | 15 | 你可以尝试使用 Docker 在几秒钟内运行一个属于你的私有服务: 16 | 17 | ```bash 18 | docker run -d --name=sso-server \ 19 | -e CLIENT_NAME="YOUR OWN SSO SERVER" \ 20 | -e CLIENT_ID="YOUR_OAUTH_CLIENT_ID" \ 21 | -e CLIENT_SECRET="YOUR_OAUTH_CLIENT_SECRET" \ 22 | -e USER_PASS="password" \ 23 | -p 3000:80 soulteary/sso-server:1.1.5 24 | ``` 25 | 26 | 服务启动之后,使用浏览器访问 `http://localhost:3000/login`,将可以看到登录界面。 27 | 28 | 默认的账号密码是 `username`(不带引号)和 `password`(密码由用户通过 `USER_PASS` 变量设置,示例中的密码是这个)。 29 | 30 | 注意:服务使用的 `username` 和 `user_email` 字段内容,默认将根据“授权许可文件”进行初始化。你可以阅读下文中“配置文件”以及参考示例文件,来了解如何使用授权文件。你可以通过自助生成授权文件来定义你的`用户名`和`邮箱地址`,[点击此处在线生成](https://readers-lic-gift.suyang.wiki/)。 31 | 32 | 33 | ## API 及路由 34 | 35 | 作为用户,我们只需要了解两个路由即可: 36 | 37 | - Router 38 | - 登录页面: `/login` 39 | - 登出登录: `/logout` 40 | 41 | 除此之外,还有两个不太重要的路由,它们是: 42 | 43 | - Router 44 | - 用于容器健康检查使用: `/health` 45 | - 用户账号信息展示: `/account` 46 | 47 | 程序当前支持五种常用的 API: 48 | 49 | - API 50 | 1. 当前账号登出: `/logout` 51 | 2. OAuth Token: `/oauth/token` 52 | 3. OAuth 用户信息: `/api/userinfo`, 53 | 4. OAuth 客户端信息: `/api/clientinfo`, 54 | 5. Traefik Forward Auth: `/api/traefik-auth-user` 55 | 6. Outline 用户信息: `/api/outline/oidc` 56 | 57 | 一般情况下,你不需要知道如何使用它们,你只需要知道如何将它们填入需要使用认证的程序配置里就行了,像是这样: 58 | 59 | ```ini 60 | tokenURL = 'http://host-name-or-ip/oauth/token' 61 | authorizationURL = 'http://host-name-or-ip/dialog/authorize' 62 | profileUrl = 'http://host-name-or-ip/api/userinfo' 63 | ``` 64 | 65 | ## 程序指纹 66 | 67 | 为了保证程序的安全,程序启动时,会输出一个唯一的校验值。 68 | 69 | **如果数值与下表不符,请不要继续运行程序。** 70 | 71 | - 版本: **soulteary/sso-server:1.1.6** 72 | - 指纹: `060d0706d05dabd66bbc94b858b481763c310cfb3702ffce0a87c3f857b26327` 73 | - 镜像: `dbf19912a279dd02c2c18a152ce5b61bd088845f194f693baa924a10eddb96e6` 74 | 75 | 查看所有[历史版本](./CHECKSUM.md)的指纹。 76 | ## 当前支持登录模式 77 | 78 | - OAuth2 79 | - OTP 80 | - (计划中) L2TP 81 | 82 | ## 资源使用 83 | 84 | - CPU 使用率: <1% 85 | - MEM 使用率: ~15MiB 86 | 87 | ## 配置文件 (`.env` 及环境变量) 88 | 89 | 为了保证程序能够正确运行,我们需要定义一些变量,其中大部分配置都是可选的。(可以忽略) 90 | 91 | | 环境变化 | 是否可选 | 示例 | 默认值 | 说明 | 92 | | --- | --- | --- | --- | --- | 93 | | **USER_PASS** | 否 | `YOUR_PASS_WORD` | `password` | 设置属于你的账号密码。 | 94 | | **CLIENT_ID** | 否 | `YOUR_CLIENT_ID` | `SjVN7VhgOsku` | OAuth2 认证需要使用的 Client ID | 95 | | **CLIENT_SECRET** | 否 | `YOUR_CLIENT_SECRET` | `t3Qt89nv9u5O` | OAuth2 认证需要使用的 Client Secret | 96 | | CLIENT_ISTRUSTED | 是 | `true` | `false` | 如果设置为 True,则需要授权的程序无需用户明确授权确认即可使用用户信息 | 97 | | CLIENT_NAME | 是 | `My CLIENT NAME` | `GENERAL SSO SERVER` | 仅用于页面或命令行信息显示。如果未设置,将尝试使用 `SERVER_NAME` 变量进行替代。 | 98 | | SERVER_NAME | 是 | `My SSO Server` | `SSO Server` | 仅用于OTP工具、Web 页面或命令行信息显示 | 99 | | PORT | 是 | `8080` | `80` | docker中的程序监听端口 | 100 | | OTP_OPTION | Yes | `KEY:MIZUSR2ZJZTWUSDY;PERIOD:30` | 空 | 用户指定的OTP参数,第一次绑定后,可以在用户页面获得 | 101 | | SESSION_SECRET | 是 | `iWoupoFYZ9Ud` | `RANDOM STRING()` | 仅用于页面或命令行信息显示 | 102 | | SERVER_DOMAIN | 是 | `sso.example.com` | 空 | 仅在 Traefik docker-compose.yml 文件中需要 | 103 | | LICENSE | 是 | `...(huge text)` | `PRESET_LICENSE_TEXT` | 用户许可协议的内容,和 `LICENSE_FILE` 二选一使用 | 104 | | LICENSE_FILE | 是 | `/app/my.lic` | 空 | 用户许可协议文件的文件路径,和 `LICENSE` 二选一使用 | 105 | 106 | ### 针对不同应用进行授权区分 107 | 108 | 如果你需要针对不同的应用设置不同的授权参数,则可以使用 `CLIENT_*` 系列参数。 109 | 110 | | 环境变化 | 是否可选 | 示例 | 默认值 | 说明 | 111 | | --- | --- | --- | --- | --- | 112 | | CLIENT_1_ID | 否 | `YOUR_CLIENT_ID` | `SjVN7VhgOsku` | 作用和 `CLIENT_ID` 一致,为某个应用或者某类应用单独指定 | 113 | | CLIENT_1_SECRET | 否 | `YOUR_CLIENT_SECRET` | `t3Qt89nv9u5O` | 作用和 `CLIENT_SECRET` 一致,为某个应用或者某类应用单独指定 | 114 | | CLIENT_1_ISTRUSTED | 是 | `true` | `false` | 作用和 `CLIENT_ISTRUSTED` 一致,为某个应用或者某类应用单独指定 | 115 | | CLIENT_1_NAME | 是 | `My CLIENT NAME` | `GENERAL SSO SERVER` | 作用和 `CLIENT_NAME` 一致,为某个应用或者某类应用单独指定 | 116 | 117 | 目前程序支持 1 ~ 5,所以我们可以定义五个不同的应用,应该足够一般场景使用。 118 | 119 | ## 示例 120 | 121 | 可以在[此处](./example)查看更多 docker 示例。 122 | 123 | 默认账号: 124 | 125 | - 用户名: `username` 126 | - 密码: `password` 127 | 128 | 为了进一步提高程序的安全性,默认服务重启时需要重新扫码设置账户的 OTP 验证。这个默认行为允许通设置固定的 `OTP_OPTION` 进行变更。 129 | 130 | ## 可选项:出站网络限制 131 | 132 | 本项目不需要使用外网服务。如果你担心这个程序,可以参考下面的方法来限制容器中的程序访问外网数据,从根本上解决你的顾虑,:D 133 | 134 | https://github.com/francoisruty/fruty_docker-outbound-restriction 135 | -------------------------------------------------------------------------------- /example/docker/.env: -------------------------------------------------------------------------------- 1 | # Docs @see https://github.com/soulteary/docker-sso-server 2 | CLIENT_ID=this-is-id 3 | CLIENT_SECRET=this-is-secret 4 | USER_PASS=password 5 | 6 | # Optional 7 | # CLIENT_ISTRUSTED=false 8 | # SERVER_NAME=SELF-HOSTED SSO 9 | # SERVER_LISTEN_PORT=80 10 | # SESSION_SECRET=YOUR_SESSION_SECRET_KEY 11 | # CLIENT_NAME=My SSO Service 12 | # OTP_OPTION=KEY:MIZUSR2ZJZTWUSDY;PERIOD:30 13 | # LICENSE= 14 | # LICENSE_FILE= -------------------------------------------------------------------------------- /example/docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.6" 2 | 3 | services: 4 | 5 | self-hosted-sso-server: 6 | image: soulteary/sso-server:1.1.6 7 | container_name: sso-server 8 | hostname: sso-server 9 | restart: always 10 | ports: 11 | - 8080:80 12 | volumes: 13 | - /etc/localtime:/etc/localtime:ro 14 | - /etc/timezone:/etc/timezone:ro 15 | command: ./main 16 | environment: 17 | - TZ=Asia/Shanghai 18 | - PORT=${SERVER_LISTEN_PORT:-80} 19 | - SESSION_SECRET=${SESSION_SECRET:-} 20 | - SERVER_NAME=${SERVER_NAME:-} 21 | - CLIENT_NAME=${CLIENT_NAME:-} 22 | - CLIENT_ID=${CLIENT_ID:-} 23 | - CLIENT_SECRET=${CLIENT_SECRET:-} 24 | - CLIENT_ISTRUSTED=${CLIENT_ISTRUSTED:-} 25 | - USER_PASS=${USER_PASS:-} 26 | - LICENSE=${LICENSE:-} 27 | - LICENSE_FILE=${LICENSE_FILE:-} 28 | - OTP_OPTION=${OTP_OPTION:-} 29 | logging: 30 | driver: "json-file" 31 | options: 32 | max-size: "10m" 33 | -------------------------------------------------------------------------------- /example/howto-define-different-auth/.env: -------------------------------------------------------------------------------- 1 | # Docs @see https://github.com/soulteary/docker-sso-server 2 | USER_PASS=password 3 | 4 | # The following configurations are optional 5 | CLIENT_1_NAME= 6 | CLIENT_1_ID=client1 7 | CLIENT_1_SECRET= 8 | CLIENT_1_ISTRUSTED= 9 | 10 | CLIENT_2_NAME= 11 | CLIENT_2_ID=client2 12 | CLIENT_2_SECRET= 13 | CLIENT_2_ISTRUSTED= 14 | 15 | CLIENT_3_NAME= 16 | CLIENT_3_ID=client3 17 | CLIENT_3_SECRET= 18 | CLIENT_3_ISTRUSTED= 19 | 20 | CLIENT_4_NAME= 21 | CLIENT_4_ID=client4 22 | CLIENT_4_SECRET= 23 | CLIENT_4_ISTRUSTED= 24 | 25 | CLIENT_5_NAME= 26 | CLIENT_5_ID=client5 27 | CLIENT_5_SECRET= 28 | CLIENT_5_ISTRUSTED= 29 | 30 | # Optional 31 | # CLIENT_ISTRUSTED=false 32 | # SERVER_NAME=SELF-HOSTED SSO 33 | # SERVER_LISTEN_PORT=80 34 | # SESSION_SECRET=YOUR_SESSION_SECRET_KEY 35 | # CLIENT_NAME=My SSO Service 36 | # OTP_OPTION=KEY:MIZUSR2ZJZTWUSDY;PERIOD:30 37 | # LICENSE= 38 | # LICENSE_FILE= -------------------------------------------------------------------------------- /example/howto-define-different-auth/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.6" 2 | 3 | services: 4 | 5 | self-hosted-sso-server: 6 | image: soulteary/sso-server:1.1.6 7 | container_name: sso-server 8 | hostname: sso-server 9 | restart: always 10 | ports: 11 | - 8080:80 12 | volumes: 13 | - /etc/localtime:/etc/localtime:ro 14 | - /etc/timezone:/etc/timezone:ro 15 | command: ./main 16 | environment: 17 | - USER_PASS=${USER_PASS:-} 18 | # The following configurations are optional 19 | - TZ=Asia/Shanghai 20 | - PORT=${SERVER_LISTEN_PORT:-80} 21 | - SESSION_SECRET=${SESSION_SECRET:-} 22 | # FOR CLIENT 1 23 | - CLIENT_1_NAME=${CLIENT_1_NAME:-} 24 | - CLIENT_1_ID=${CLIENT_1_ID:-} 25 | - CLIENT_1_SECRET=${CLIENT_1_SECRET:-} 26 | - CLIENT_1_ISTRUSTED=${CLIENT_1_ISTRUSTED:-} 27 | # FOR CLIENT 2 28 | - CLIENT_2_NAME=${CLIENT_2_NAME:-} 29 | - CLIENT_2_ID=${CLIENT_2_ID:-} 30 | - CLIENT_2_SECRET=${CLIENT_2_SECRET:-} 31 | - CLIENT_2_ISTRUSTED=${CLIENT_2_ISTRUSTED:-} 32 | # FOR CLIENT 3 33 | - CLIENT_3_NAME=${CLIENT_3_NAME:-} 34 | - CLIENT_3_ID=${CLIENT_3_ID:-} 35 | - CLIENT_3_SECRET=${CLIENT_3_SECRET:-} 36 | - CLIENT_3_ISTRUSTED=${CLIENT_3_ISTRUSTED:-} 37 | # FOR CLIENT 4 38 | - CLIENT_4_NAME=${CLIENT_4_NAME:-} 39 | - CLIENT_4_ID=${CLIENT_4_ID:-} 40 | - CLIENT_4_SECRET=${CLIENT_4_SECRET:-} 41 | - CLIENT_4_ISTRUSTED=${CLIENT_4_ISTRUSTED:-} 42 | # FOR CLIENT 5 43 | - CLIENT_5_NAME=${CLIENT_5_NAME:-} 44 | - CLIENT_5_ID=${CLIENT_5_ID:-} 45 | - CLIENT_5_SECRET=${CLIENT_5_SECRET:-} 46 | - CLIENT_5_ISTRUSTED=${CLIENT_5_ISTRUSTED:-} 47 | - SERVER_NAME=${SERVER_NAME:-} 48 | - LICENSE=${LICENSE:-} 49 | - LICENSE_FILE=${LICENSE_FILE:-} 50 | - OTP_OPTION=${OTP_OPTION:-} 51 | logging: 52 | driver: "json-file" 53 | options: 54 | max-size: "10m" 55 | -------------------------------------------------------------------------------- /example/howto-use-gitea/.env: -------------------------------------------------------------------------------- 1 | # Docs @see https://github.com/soulteary/docker-sso-server 2 | CLIENT_ID=this-is-id 3 | CLIENT_SECRET=this-is-secret 4 | USER_PASS=password 5 | SERVER_DOMAIN=sso.lab.io 6 | # Optional 7 | # CLIENT_ISTRUSTED=false 8 | # SERVER_NAME=SELF-HOSTED SSO 9 | # SERVER_LISTEN_PORT=80 10 | # SESSION_SECRET=YOUR_SESSION_SECRET_KEY 11 | # CLIENT_NAME=My SSO Service 12 | # OTP_OPTION=KEY:MIZUSR2ZJZTWUSDY;PERIOD:30 13 | # LICENSE= 14 | # LICENSE_FILE= -------------------------------------------------------------------------------- /example/howto-use-gitea/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.6" 2 | 3 | services: 4 | 5 | self-hosted-sso-server: 6 | image: soulteary/sso-server:1.1.6 7 | container_name: sso-server 8 | restart: always 9 | expose: 10 | - 80 11 | command: ./main 12 | volumes: 13 | - /etc/localtime:/etc/localtime:ro 14 | - /etc/timezone:/etc/timezone:ro 15 | extra_hosts: 16 | - "$SERVER_DOMAIN:0.0.0.0" 17 | networks: 18 | - traefik 19 | environment: 20 | - TZ=Asia/Shanghai 21 | - PORT=${SERVER_LISTEN_PORT:-80} 22 | - SESSION_SECRET=${SESSION_SECRET:-} 23 | - SERVER_NAME=${SERVER_NAME:-} 24 | - CLIENT_NAME=${CLIENT_NAME:-} 25 | - CLIENT_ID=${CLIENT_ID:-} 26 | - CLIENT_SECRET=${CLIENT_SECRET:-} 27 | - CLIENT_ISTRUSTED=${CLIENT_ISTRUSTED:-} 28 | - USER_PASS=${USER_PASS:-} 29 | - LICENSE=${LICENSE:-} 30 | - LICENSE_FILE=${LICENSE_FILE:-} 31 | - OTP_OPTION=${OTP_OPTION:-} 32 | labels: 33 | - "traefik.enable=true" 34 | - "traefik.docker.network=traefik" 35 | 36 | - "traefik.http.routers.sso-web.entrypoints=http" 37 | - "traefik.http.routers.sso-web.rule=Host(`$SERVER_DOMAIN`)" 38 | 39 | - "traefik.http.routers.sso-ssl.entrypoints=https" 40 | - "traefik.http.routers.sso-ssl.tls=true" 41 | - "traefik.http.routers.sso-ssl.rule=Host(`$SERVER_DOMAIN`)" 42 | 43 | - "traefik.http.services.sso-backend.loadbalancer.server.scheme=http" 44 | - "traefik.http.services.sso-backend.loadbalancer.server.port=80" 45 | logging: 46 | driver: "json-file" 47 | options: 48 | max-size: "10m" 49 | 50 | # @see https://soulteary.com/2020/02/04/gitea-git-server-with-docker-and-traefik-v2.html 51 | gitea: 52 | image: gitea/gitea:1.14.6 53 | container_name: gitea.lab.io 54 | #ports: 55 | # - "0.0.0.0:22:22" 56 | environment: 57 | - USER_UID=1000 58 | - USER_GID=1000 59 | - APP_NAME=gitea.lab.io 60 | - RUN_MODE=prod 61 | - RUN_USER=git 62 | - SSH_DOMAIN=gitea.lab.io 63 | - SSH_PORT=22 64 | - SSH_LISTEN_PORT=22 65 | - HTTP_PORT=80 66 | - ROOT_URL=https://gitea.lab.io 67 | - LFS_START_SERVER=true 68 | - REQUIRE_SIGNIN_VIEW=true 69 | - DB_TYPE=sqlite3 70 | - INSTALL_LOCK=false 71 | - DISABLE_GRAVATAR=true 72 | - ALLOW_LOCALNETWORKS=true 73 | networks: 74 | - traefik 75 | restart: unless-stopped 76 | labels: 77 | - "traefik.enable=true" 78 | - "traefik.docker.network=traefik" 79 | # 选择性使用,需要提前定义https-redirect,可以参考之前博客文章 80 | # - "traefik.http.routers.gitea-web.middlewares=https-redirect@file" 81 | - "traefik.http.routers.gitea-web.entrypoints=http" 82 | - "traefik.http.routers.gitea-web.rule=Host(`gitea.lab.io`)" 83 | - "traefik.http.routers.gitea-ssl.entrypoints=https" 84 | - "traefik.http.routers.gitea-ssl.tls=true" 85 | - "traefik.http.routers.gitea-ssl.rule=Host(`gitea.lab.io`)" 86 | - "traefik.http.services.gitea-backend.loadbalancer.server.scheme=http" 87 | - "traefik.http.services.gitea-backend.loadbalancer.server.port=80" 88 | volumes: 89 | - /etc/localtime:/etc/localtime:ro 90 | - /etc/timezone:/etc/timezone:ro 91 | - ./demo/data:/data/ 92 | logging: 93 | driver: "json-file" 94 | options: 95 | max-size: "10m" 96 | healthcheck: 97 | test: ["CMD-SHELL", "wget -q --spider --proxy off localhost || exit 1"] 98 | interval: 5s 99 | 100 | networks: 101 | traefik: 102 | external: true 103 | -------------------------------------------------------------------------------- /example/howto-use-gitea/gitea-sso-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/soulteary/docker-sso-server/8449c92ca50a39065a63c9cb93ca9ca398b0213b/example/howto-use-gitea/gitea-sso-example.png -------------------------------------------------------------------------------- /example/howto-use-lic-file/.env: -------------------------------------------------------------------------------- 1 | # Docs @see https://github.com/soulteary/docker-sso-server 2 | CLIENT_ID=this-is-id 3 | CLIENT_SECRET=this-is-secret 4 | USER_PASS=password 5 | 6 | # Optional 7 | # CLIENT_ISTRUSTED=false 8 | # SERVER_NAME=SELF-HOSTED SSO 9 | # SERVER_LISTEN_PORT=80 10 | # SESSION_SECRET=YOUR_SESSION_SECRET_KEY 11 | # CLIENT_NAME=My SSO Service 12 | # OTP_OPTION=KEY:MIZUSR2ZJZTWUSDY;PERIOD:30 13 | # LICENSE= 14 | LICENSE_FILE=/app/my.lic -------------------------------------------------------------------------------- /example/howto-use-lic-file/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.6" 2 | 3 | services: 4 | 5 | self-hosted-sso-server: 6 | image: soulteary/sso-server:1.1.6 7 | container_name: sso-server 8 | hostname: sso-server 9 | restart: always 10 | ports: 11 | - "8080:80" 12 | volumes: 13 | - /etc/localtime:/etc/localtime:ro 14 | - /etc/timezone:/etc/timezone:ro 15 | - ./my.lic:/app/my.lic:ro 16 | command: ./main 17 | environment: 18 | - TZ=Asia/Shanghai 19 | - PORT=${SERVER_LISTEN_PORT:-80} 20 | - SESSION_SECRET=${SESSION_SECRET:-} 21 | - SERVER_NAME=${SERVER_NAME:-} 22 | - CLIENT_NAME=${CLIENT_NAME:-} 23 | - CLIENT_ID=${CLIENT_ID:-} 24 | - CLIENT_SECRET=${CLIENT_SECRET:-} 25 | - CLIENT_ISTRUSTED=${CLIENT_ISTRUSTED:-} 26 | - USER_PASS=${USER_PASS:-} 27 | - LICENSE=${LICENSE:-} 28 | - LICENSE_FILE=${LICENSE_FILE:-} 29 | - OTP_OPTION=${OTP_OPTION:-} 30 | logging: 31 | driver: "json-file" 32 | options: 33 | max-size: "10m" 34 | -------------------------------------------------------------------------------- /example/howto-use-lic-file/my.lic: -------------------------------------------------------------------------------- 1 | cw1jCFWRdKcTeLXRy9P0bA6f73Ot3VpbJVodcrZR+gNZGbBjBbeWVR5pFeIEtECVvQS/XVYM0/RFCDl+XA3pFtPxof2kXRAviZPCP7FF4BvpjYDh2kMCcg1W2ZlogsQfimlh9a4PSvt9PLQB3x7qg/xMuveKgtH3X7OmkzAFR/9t1rW7YRRxjsU5ktG/9n4IKoVhhRvDhE045nE//dgE/dpI6Z6Meh+44l/ipcCcUxTHAjLoxGJgLh92OxOZ4iHEAuWTDsX1g4lFLiG7EtEnveZVUDwmDNgFtCu77SWOtKKBgAOHOIdIuU7vGnRVJPvyIH2UhFzcuhd0bJ37yBjKuwZpcdCoADJTLjj0xME+S+TADbnvmg+fjcHGf/T8muMnnMQbCBNv68h8LkmLRYgvBY0seQZcZZP1p09lZhv3UlhXwndfczeM/zQEhlYX8S50+BevjlTAz5tYmWt8vkU/nm8oT4DWDbsR8W7iVHy4cF64IYP0NvgavOt2ZdYNOnuQOzgR1kjoKuH/EvPgg61oIQnBW2A9uCe2u9uTVskUNhptV6sJ46n5P1hOBOKxpJj91JJ38xUV+ylh/TZEnd0eD3LpkhQUmWeULF/6x+GQLxdRNNbuRlgt7KshrM0iAOq6Zjp+yM7OkESwAL2t3pEHMLsp1w9jck9E5u4hxQuH+GU= -------------------------------------------------------------------------------- /example/howto-use-outline/README.md: -------------------------------------------------------------------------------- 1 | # Outline 2 | 3 | - see [https://github.com/soulteary/docker-outline](https://github.com/soulteary/docker-outline) -------------------------------------------------------------------------------- /example/howto-use-traefik/.env: -------------------------------------------------------------------------------- 1 | # Docs @see https://github.com/soulteary/docker-sso-server 2 | CLIENT_ID=this-is-id 3 | CLIENT_SECRET=this-is-secret 4 | USER_PASS=password 5 | SERVER_DOMAIN=sso.lab.io 6 | 7 | # Optional 8 | # CLIENT_ISTRUSTED=false 9 | # SERVER_NAME=SELF-HOSTED SSO 10 | # SERVER_LISTEN_PORT=80 11 | # SESSION_SECRET=YOUR_SESSION_SECRET_KEY 12 | # CLIENT_NAME=My SSO Service 13 | # OTP_OPTION=KEY:MIZUSR2ZJZTWUSDY;PERIOD:30 14 | # LICENSE= 15 | # LICENSE_FILE= -------------------------------------------------------------------------------- /example/howto-use-traefik/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.6" 2 | 3 | services: 4 | 5 | self-hosted-sso-server: 6 | image: soulteary/sso-server:1.1.6 7 | container_name: sso-server 8 | hostname: sso-server 9 | restart: always 10 | expose: 11 | - 80 12 | volumes: 13 | - /etc/localtime:/etc/localtime:ro 14 | - /etc/timezone:/etc/timezone:ro 15 | command: ./main 16 | extra_hosts: 17 | - "$SERVER_DOMAIN:0.0.0.0" 18 | networks: 19 | - traefik 20 | environment: 21 | - TZ=Asia/Shanghai 22 | - PORT=${SERVER_LISTEN_PORT:-80} 23 | - SESSION_SECRET=${SESSION_SECRET:-} 24 | - SERVER_NAME=${SERVER_NAME:-} 25 | - CLIENT_NAME=${CLIENT_NAME:-} 26 | - CLIENT_ID=${CLIENT_ID:-} 27 | - CLIENT_SECRET=${CLIENT_SECRET:-} 28 | - CLIENT_ISTRUSTED=${CLIENT_ISTRUSTED:-} 29 | - USER_PASS=${USER_PASS:-} 30 | - LICENSE=${LICENSE:-} 31 | - LICENSE_FILE=${LICENSE_FILE:-} 32 | - OTP_OPTION=${OTP_OPTION:-} 33 | labels: 34 | - "traefik.enable=true" 35 | - "traefik.docker.network=traefik" 36 | 37 | - "traefik.http.routers.sso-web.entrypoints=http" 38 | - "traefik.http.routers.sso-web.rule=Host(`$SERVER_DOMAIN`)" 39 | 40 | - "traefik.http.routers.sso-ssl.entrypoints=https" 41 | - "traefik.http.routers.sso-ssl.tls=true" 42 | - "traefik.http.routers.sso-ssl.rule=Host(`$SERVER_DOMAIN`)" 43 | 44 | - "traefik.http.services.sso-backend.loadbalancer.server.scheme=http" 45 | - "traefik.http.services.sso-backend.loadbalancer.server.port=80" 46 | logging: 47 | driver: "json-file" 48 | options: 49 | max-size: "10m" 50 | 51 | networks: 52 | traefik: 53 | external: true 54 | 55 | 56 | -------------------------------------------------------------------------------- /snapshots/gui.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/soulteary/docker-sso-server/8449c92ca50a39065a63c9cb93ca9ca398b0213b/snapshots/gui.png --------------------------------------------------------------------------------