Search code examples
traefik

how to do auth forwarding to backend entry in Traefik 1.7

Traefik 1.7 Docker Spring Boot

I need to use the auth forwarding capabilities of Traefik.

My auth endpoint is exposed by a spring boot component behind the Traefik and exposed as "backend-authentication" with URI "http://123.1.23.5:8081" in Traefik Dashboard.

In my configuration, traefik routes everything from "http://api-dev.mycompany.com" to backends API using "PathPrefix" rules. Therefore my authentication component is available as "http://api-dev.mycompany.com/authentication"

When I do auth forwarding like this:

[entryPoints]
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.auth.forward]
            address = "http://api-dev.mycompany.com/commerce/authentication/v1/ldap/auth"
            trustForwardHeader = true
            authResponseHeaders = ["Authorization"]

Traefik goes through endless forwarding loop.

When I use the following configuration it is working as wanted:

[entryPoints]
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.auth.forward]
            address = "http://123.1.23.5:8081/commerce/authentication/v1/ldap/auth"
            trustForwardHeader = true
            authResponseHeaders = ["Authorization"]

I would like to use a service name related to the backend-authentication as seen in Traefik dashboard but when I try that configuration:

[entryPoints]
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.auth.forward]
            address = "http://backend-authentication/commerce/authentication/v1/ldap/auth"
            trustForwardHeader = true
            authResponseHeaders = ["Authorization"]

I ran into error 500.

I do need the capability to use logic name and not IP as there are subject to change.

I cannot run the component on another port or another network... Any idea would be apreciated.

Solution

  • Maybe you could upgrade to v2, it's a bit more clear there:

    In Traefik v2 according to the docs you have to use forwardAuth as a middleware. You have to create a router like this:

    ## Dynamic configuration
[http.routers]
  [http.routers.my-router]  <-- name it auth-router or whatever
    rule = "Path(`/foo`)"
    # declared in next code block
    middlewares = ["test-auth"]
    service = "youre-service-docker-or-file" <-- probably your "backend-authentication"

    Where your middleware is:

    # Forward authentication to authserver.com
[http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://authserver.com/auth" <---  Your auth server here

    Optionally, looking at the v1.7 docs, can you set

    authResponseHeaders = ["X-Auth-User", "X-Secret"]

    below the entrypoints, and maybe try add some trusted ips:

    [entryPoints]
  [entryPoints.http]
    address = ":80"

    # Enable Forwarded Headers
    [entryPoints.http.forwardedHeaders]
      # List of trusted IPs
      #
      # Required
      # Default: []
      #
      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]