I was sent over from here https://github.com/containous/traefik/issues/6263 by your advanced AI.
I have a Grafana instance and want to have all my local clients authenticated automatically as "Viewers", while requests from remote will have to authenticate at the Grafan login page.
Grafana supports this using the auth.proxy setting (details: https://grafana.com/docs/grafana/latest/auth/auth-proxy/) where it respects some header (X-WEBAUTH-USER) set by the reverse proxy and just trusts that the proxy has authenticated the user properly - a mechanisem also used by other apps, I guess, so Grafana is more meant as an example in this feature request.
With jwilder proxy, I used a custom nginx config, which worked fine for this:
set $grafana_user "";
if ($remote_addr ~ "^192.168.") {
set $grafana_user "viewer";
}
proxy_set_header X-WEBAUTH-USER $grafana_user;
This will also remove any "spoofed" X-WEBAUTH-USER headers, which may come from outside networks.
For Traefik 2.x I couldn't find any solution to accomplish this. For now, headers can only be set generally (https://docs.traefik.io/middlewares/headers/#adding-headers-to-the-request-and-the-response), but not depending on some condition like "remote-addr matches xy" or something, correct?