How to implement a forwardAuth service with traefik2

I had issue with forwardAuth not working and wanted to implement a service using our own application server as authentication service instead of the google auth service.

I'm configuring traefik with those 3 labels:

  • traefik.http.routers.my_app.rule = Host(app.example.com)
  • traefik.http.middlewares.auth.forwardauth.address = https://auth.example.com/web/forward_auth
  • traefik.http.middlewares.auth.forwardauth.trustForwardHeader = true
  • traefik.http.routers.my_app.middlewares = auth@docker

So far so good, when I access my router I do get inside my auth service at the right url but...There's the thing I'm not exactly sure to understand.


{
  'wsgi.version': (1, 0),
  'wsgi.url_scheme': 'https',
  'wsgi.input': <_io.BufferedReader name=12>,
  'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>,
  'wsgi.multithread': False,
  'wsgi.multiprocess': False,
  'wsgi.run_once': False,
  'werkzeug.server.shutdown': <function WSGIRequestHandler.make_environ.<locals>.shutdown_server at 0x7fe5111799d8>,
  'SERVER_SOFTWARE': 'Werkzeug/0.16.0',
  'REQUEST_METHOD': 'GET',
  'SCRIPT_NAME': '',
  'PATH_INFO': '/web/forward_auth',
  'QUERY_STRING': '',
  'REQUEST_URI': '/web/forward_auth',
  'RAW_URI': '/web/forward_auth',
  'REMOTE_ADDR': '172.18.0.1',
  'REMOTE_PORT': 60002,
  'SERVER_NAME': '127.0.0.1',
  'SERVER_PORT': '35127',
  'SERVER_PROTOCOL': 'HTTP/1.1',
  'HTTP_HOST': 'auth.example.com',
  'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0',
  'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 
  'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
  'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5', 
  'HTTP_COOKIE': 'session_id=876876876', 
  'HTTP_UPGRADE_INSECURE_REQUESTS': '1',
  'HTTP_X_FORWARDED_FOR': '172.18.0.1', 
  'HTTP_X_FORWARDED_HOST': 'auth.example.com',
  'HTTP_X_FORWARDED_PORT': '443', 
  'HTTP_X_FORWARDED_PROTO': 'https',
  'HTTP_X_FORWARDED_SERVER': 'proxy.example.com', 
  'HTTP_X_REAL_IP': '172.18.0.1',
  'werkzeug.proxy_fix.orig': {
    'REMOTE_ADDR': '10.0.0.21',
    'wsgi.url_scheme': 'http',
   'HTTP_HOST': 'auth.example.com',
   'SERVER_NAME': '127.0.0.1',
   'SERVER_PORT': '35127',
   'SCRIPT_NAME': ''},
  'werkzeug.proxy_fix.orig_remote_addr': '10.0.0.21',
  'werkzeug.proxy_fix.orig_wsgi_url_scheme': 'http',
  'werkzeug.proxy_fix.orig_http_host': 'auth.example.com',
  'werkzeug.request': <Request 'https://dockydoo.odoo.plus/web/forward_auth' [GET]>
}

So here's the problem, it seems that the request goes into traefik, goes into the middleware up to the auth.example.com server, but when the request is made, I have absolutely no information regarding the initial request being forwarded from app.example.com.

Is there a way to check if it's my service that somehow strip the request headers and keep only one of them instead of keeping all the possible HTTP_X_FORWARDED_*

My guess is that traefik calls the request through the loadbalancer reenter traefik and as traefik is running as a proxy it does override HTTP_X_FORWARDED_HOST and set the new one instead.

Is it what's happening? I see there's a configuration names PassHostHeader and was wondering if it could be used in combination with the /auth rule to prevent overriding it.

Thought I'd rather have the header renamed if it's present because I cannot have PassHostHeader to false. A few things in the service depends on the service being accessed... Thought as I generate the headers. It could be possible for me to pass a get parameter to the forwardAuth url in the address config but if I could have it work out of the box having or having some kind HTTP_FORWARD_AUTH header that could be used.

I have the same experience. I started out simply by referencing the Docker network name of my forward-auth service (in my case sys_forward-auth). Therefore: traefik.http.middlewares.auth.forwardauth.address=http://sys_forward-auth:8080.

At one point I thought it would be better to create Traefik routing config for the forward auth service and changed references to traefik.http.middlewares.auth.forwardauth.address=http://auth-private.example.com. When I made this change I observed the same behaviour you describe. The X-Forwarded headers were dropped and all calls to the forward-auth service returned HTTP status 200.

So I reverted to the old native Docker address.