Traefik 1.7 Docker Spring Boot
I need to use the auth forwarding capabilities of Traefik.
My auth endpoint is exposed by a spring boot component behind the Traefik and exposed as "backend-authentication" with URI "http://123.1.23.5:8081" in Traefik Dashboard.
In my configuration, traefik routes everything from "http://api-dev.mycompany.com" to backends API using "PathPrefix" rules. Therefore my authentication component is available as "http://api-dev.mycompany.com/authentication"
When I do auth forwarding like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://api-dev.mycompany.com/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
Traefik goes through endless forwarding loop.
When I use the following configuration it is working as wanted:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://123.1.23.5:8081/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
I would like to use a service name related to the backend-authentication as seen in Traefik dashboard but when I try that configuration:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://backend-authentication/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
I ran into error 500.
I do need the capability to use logic name and not IP as there are subject to change.
I cannot run the component on another port or another network... Any idea would be apreciated.
Maybe you could upgrade to v2, it's a bit more clear there:
In Traefik v2 according to the docs you have to use forwardAuth as a middleware. You have to create a router like this:
## Dynamic configuration
[http.routers]
[http.routers.my-router] <-- name it auth-router or whatever
rule = "Path(`/foo`)"
# declared in next code block
middlewares = ["test-auth"]
service = "youre-service-docker-or-file" <-- probably your "backend-authentication"
Where your middleware is:
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://authserver.com/auth" <--- Your auth server here
Optionally, looking at the v1.7 docs, can you set
authResponseHeaders = ["X-Auth-User", "X-Secret"]
below the entrypoints, and maybe try add some trusted ips:
[entryPoints]
[entryPoints.http]
address = ":80"
# Enable Forwarded Headers
[entryPoints.http.forwardedHeaders]
# List of trusted IPs
#
# Required
# Default: []
#
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]