A Traefik ForwardAuth server for Cloudflare Access

Docker Image Version (latest semver) Docker Pulls License Code size Code lines

What is Kani?

Kani (カニ) (Pronunciation) means Crab in Japanese. I’m not entirely sure what I decided to use this name, but here we are. Kani is designed to be a Traefik ForwardAuth server for validating Cloudflare Access requests.

When a request is proxied through Cloudflare Access, a signed JWT token will be sent to the backend (Traefik in this case) as an HTTP header. Since the JWT token is signed, we can get the public keys from Cloudflare Access to validate that it was indeed issued by Cloudflare Access.

Why use Kani?

It is recommended to use Kani when you are using Cloudflare Access in-front of a service that is behind Traefik. Kani allows Traefik to validate that the request actually went through Cloudflare Access and that the user was granted access, therefore preventing people from bypassing Cloudflare Access.

Getting started

See examples in examples/.


Kani is licensed under the terms of the MIT License. See LICENSE for the full license.


View Github