Traefik OIDC/SSO in front of Copyparty (Example)

[BugZappa]

This is for folks who use Traefik and want to secure CopyParty behind an OIDC/SSO provider while exposing a singular path to the public, fair disclaimer i am no Traefik or reverse-proxy/load-balancer wiz, it took me a few hours to get this working (No AI/LLM involvement) so i figured it would save others time documenting this here, please be aware that you will have to edit certain sections manually to suit your setup.

http:
  routers:
    # Secure the root of your CopyParty instance.
    copyparty-secure:
      entryPoints:
        - "web"
        - "websecure"
      # Specify your domain root here.
      rule: "Host(`copyparty.your.domain`)"
      middlewares:
        - copyparty-headers
        - copyparty-oidc-auth
      tls: {}
      priority: 50
      service: copyparty-secure

    # Expose a singular path to the public.
    copyparty-public:
      entryPoints:
        - "web"
        - "websecure"
      # Specify your expose path by editing the PathPrefix. Example: _PathPrefix(`/public`)_
      rule: "HostRegexp(`.+`) && PathPrefix(`/YourExposedPath`)"
      middlewares:
        - copyparty-headers
      tls: {}
      priority: 100
      service: copyparty-public

    # Expose necessary javascript for functionality, this should require no change.
    copyparty-utils:
      entryPoints:
        - "web"
        - "websecure"
      rule: "HostRegexp(`.+`) && PathPrefix(`/.cpr`)"
      middlewares:
        - copyparty-headers
      tls: {}
      priority: 95
      service: copyparty-public

  services:
    # Adjust the server URL to point to your CopyParty instance
    copyparty-secure:
      loadBalancer:
        servers:
          - url: "http://YourCopyPartyInstance:3923"
        passHostHeader: true

    # Adjust the server URL to point to your CopyParty instance
    copyparty-public:
      loadBalancer:
        servers:
          - url: "http://YourCopyPartyInstance:3923"
        passHostHeader: true

    # Adjust the server URL to point to your CopyParty instance
    copyparty-utils:
      loadBalancer:
        servers:
          - url: "http://YourCopyPartyInstance:3923"
        passHostHeader: true

  middlewares:
    # Miscellaneous headers, adjust to suit your needs.
    copyparty-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: SAMEORIGIN 
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," 
          server: "traefik"

      # It is suggested you follow the documentation for this middleware/plugin  however, below is a brief example of a Keycloak OIDC/SSO setup. (https://traefik-oidc-auth.sevensolutions.cc/docs/identity-providers)
        copyparty-oidc-auth:
          plugin:
            traefik-oidc-auth:
              Secret: "YourSecretKey"
              Provider:
                ClientId: copyparty
                ClientSecret: YourClientKey
                Url: https://Your.OIDC.Provider/
                UsePkce: false