Traefik as reverse proxy handling authentication

Traefik Traefik v1
1

Summary: How to remove Authorization header?

Grafana supports to let a reverse proxy handle authentication. On https://github.com/grafana/grafana/blob/master/docs/sources/auth/auth-proxy.md an example based on apache is mentioned.

As an experiment I to get same behavior from traefik, I set up as an ingress controller in kubernetes and configured an ingress object with authentication:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: grafana
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/auth-type: "basic"
    ingress.kubernetes.io/auth-secret: "httpauth"
spec:
  rules:
  - host: grafana.my.domain
    http:
      paths:
      - backend:
          serviceName: grafana
          servicePort: http

This works fine. User is authenticated by traefik and request is forwarded to grafana. However the user information seems to be missing in the forwarded request:

$ curl -i http://grafana.my.domain/api/users
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Www-Authenticate: Basic realm="traefik"
Date: Thu, 18 Jul 2019 05:50:40 GMT
Content-Length: 17

401 Unauthorized
$ curl -i -u u:p http://grafana.my.domain/api/users
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Length: 31
Content-Type: application/json; charset=UTF-8
Date: Thu, 18 Jul 2019 05:49:01 GMT
Expires: -1
Pragma: no-cache
X-Frame-Options: deny

{"message":"Basic auth failed"}
$

The JSON respons indicates it comes from Grafana.

Looking inside traefik debug log:

time="2019-07-18T06:37:28Z" level=debug msg="vulcand/oxy/forward: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.244.2.8:3000\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"*/*\"],\"Authorization\":[\"Basic dTpw\"],\"User-Agent\":[\"curl/7.54.0\"],\"X-WebAuth-User\":[\"u\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"grafana.my.domain\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"127.0.0.1:53500\",\"RequestURI\":\"/\",\"TLS\":null}"

The specific problem appears to be that the Authorization header is passed through, which makes Grafana perform authorization one more time, instead of trusting traefik. Indeed the apache example solves this with the "RequestHeader unset Authorization" configuration. How can same be done in traefik?

2

Hello @sauber,

from the documentation:
(https://docs.traefik.io/v1.7/configuration/backends/kubernetes/#authentication)

you can set
ingress.kubernetes.io/auth-remove-header: true

to remove the authentication header.

Please let us know if this works for you!

3

This is indeed the solution to what I asked for. Thank you.

It turned out that my understanding of the problem was not correct. For the record, Grafana must be configured with

[auto.basic]
enabled = false
[auto.proxy]
enabled = true

to accept users authenticated by reverse proxy. If Authorization header is missing, then a login form is displayed. Keeping Authorization header is actually necessary for requests to pass through without a second authorization.

My apologies for missing documentation and raising issue on the wrong forum.