version: "3"
services:
  traefik:
    image: traefik:v2.1
    command:
      - "--accesslog=true"
      - "--api.insecure=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker=true"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  httpbin:
    image: kennethreitz/httpbin:latest
    labels:
      - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
      - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/"
      - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"

      - "traefik.http.routers.httpbin.middlewares=pomerium@docker"
      - "traefik.enable=true"
      - "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)"
      - "traefik.http.routers.httpbin.entrypoints=websecure"
      - "traefik.http.routers.httpbin.tls=true"

  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      - ./config.yaml:/pomerium/config.yaml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pomerium.rule=Host(`authenticate.localhost.pomerium.io`)"
      - "traefik.http.routers.pomerium.entrypoints=websecure"
      - "traefik.http.routers.pomerium.tls=true"
    expose:
      - 80