I'm looking for a simple way to manage authentication and authorisation with Traefik v2.
My idea is to use Forward Auth middleware, to set a header with the username (X-Auth-User) and use this header in my routing rules to authorize (or not) some services to some users. This would allows a very simple and powerfull authorisation mecanism.
BUT the middleware are executed before the rules, and then I cannot use the user (returned by the Forward-Auth midlleware) in my rules.
Is there a workaround, or am I missing something?
I would like to suggest considering using pre-routing approach, it will be easier to explain by referring to the example:
- kind: Rule
# Redirecting traffic back to Traefik to process limits
- name: traefik-proxy-svc-internal
- name: forward-auth
- kind: Rule
# Matching using HostHeader and the extracted X-Traefik-Username
match: Host(`app.sie.demo.traefiklabs.tech`) && Headers(`X-Traefik-Username`, `testuser1`)
- name: app-v1
- name: ratelimit-1
In that example, the first IngressRoute is responsible for just authenticating the user, then the request is being forwarded again to Traefik for further processing. Please note the service name
The second Ingressroute is used in the matching rule Headers to check the user name and add another middleware for that specific user, rate limit in that case.
That example does not match exactly the challenge you described but should give you an idea of how to create the final solution.
Hope that helps, let me know.