docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny
Summary
docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
docker-tinyauth provides a highly optimized and secure Docker image for TinyAuth, a simple yet powerful authentication middleware. TinyAuth is designed to add a login screen or integrate OAuth with providers like Google and GitHub to your Docker applications. It seamlessly supports popular proxies such as Traefik, Nginx, and Caddy, making it a versatile solution for securing access to your services. This repository focuses on delivering TinyAuth in a rootless, distroless, and truly tiny container, prioritizing security and efficiency.
Installation
To get started with docker-tinyauth, you can pull the image from various registries. It's recommended to use a specific version tag for stability, for example, 4.0.0.
docker pull 11notes/tinyauth:4.0.0
# Or from other registries:
docker pull ghcr.io/11notes/tinyauth:4.0.0
docker pull quay.io/11notes/tinyauth:4.0.0For a basic setup using Docker Compose, you can define the tinyauth service as follows. Remember to replace placeholder values like ${FQDN_TINYAUTH}, ${SECRET}, and the default USERS password with your own secure configurations.
services:
tinyauth:
image: "11notes/tinyauth:4.0.0"
read_only: true
environment:
APP_URL: "https://${FQDN_TINYAUTH}"
# secret must be a 32 Byte long string (32 characters)
SECRET: ${SECRET}
# admin / admin, please do not use in production!
USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
labels:
- "traefik.enable=true"
- "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
- "traefik.http.routers.tinyauth.entrypoints=https"
- "traefik.http.routers.tinyauth.tls=true"
- "traefik.http.routers.tinyauth.service=tinyauth"
- "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
- "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
networks:
- backend
For more details on changing the default UID/GID, consult the how-to.changeUIDGID section of the RTFM.
Examples
The provided docker-compose.yml in the repository demonstrates a comprehensive setup integrating tinyauth with Traefik, socket-proxy, and a whoami service to showcase its functionality. The tinyauth service is configured with Traefik labels to enable forward authentication, securing access to other services like whoami.
services:
tinyauth:
image: "11notes/tinyauth:4.0.0"
read_only: true
environment:
APP_URL: "https://${FQDN_TINYAUTH}"
SECRET: ${SECRET}
USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
labels:
- "traefik.enable=true"
- "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
- "traefik.http.routers.tinyauth.entrypoints=https"
- "traefik.http.routers.tinyauth.tls=true"
- "traefik.http.routers.tinyauth.service=tinyauth"
- "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
- "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
networks:
backend:
whoami:
image: "traefik/whoami:latest"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.middlewares=tinyauth" # This line applies tinyauth middleware
- "traefik.http.routers.whoami.service=whoami"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
backend:
In this example, the whoami service is protected by the tinyauth middleware, meaning users must authenticate via TinyAuth before accessing whoami.
Why use docker-tinyauth?
This Docker image stands out due to its extreme focus on security, simplicity, and optimization. Here are the key reasons to choose 11notes/tinyauth:
- Rootless Execution: Runs as user
1000:1000, significantly reducing potential attack surfaces. - Distroless: The image has no shell and is built on a minimal
scratchbase with only essential components, further enhancing security by removing unnecessary binaries. - Truly Tiny: At just 12MB, it's remarkably small, leading to faster downloads and reduced resource consumption compared to other images (e.g.,
steveiliop56/tinyauthat 35MB). - Automated Updates: Continuously updated to the latest version via CI/CD, ensuring you always have the most recent features and security patches.
- Health Checks: Includes a built-in health check for reliable service monitoring.
- Read-Only Operation: Designed to run in read-only mode for enhanced security.
- CVE Scanning: Automatically scanned for Common Vulnerabilities and Exposures (CVEs) both before and after publishing.
- Secure CI/CD: Created via a secure and pinned CI/CD process, guaranteeing integrity from build to deployment.
If you prioritize robust security, minimal footprint, and streamlined operations for your authentication middleware, docker-tinyauth is an excellent choice.
Links
- GitHub Repository: https://github.com/11notes/docker-tinyauth
- Docker Hub: https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0
- GitHub Container Registry (GHCR):
ghcr.io/11notes/tinyauth:4.0.0 - Quay.io:
quay.io/11notes/tinyauth:4.0.0 - Original TinyAuth Project: https://github.com/steveiliop56/tinyauth
- Parent Image (distroless): https://github.com/11notes/docker-distroless