I'm looking for a simple way to manage authentication and authorisation with Traefik v2.
My idea is to use Forward Auth middleware, to set a header with the username (X-Auth-User) and use this header in my routing rules to authorize (or not) some services to some users. This would allows a very simple and powerfull authorisation mecanism.
BUT the middleware are executed before the rules, and then I cannot use the user (returned by the Forward-Auth midlleware) in my rules.
Is there a workaround, or am I missing something?
Kind regards,
Sebastien
Hello Sebastian,
I would like to suggest considering using pre-routing approach, it will be easier to explain by referring to the example:
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-tls
namespace: app
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`app.sie.demo.traefiklabs.tech`)
services:
# Redirecting traffic back to Traefik to process limits
- name: traefik-proxy-svc-internal
namespace: traefikee
port: 80
middlewares:
- name: forward-auth
tls:
certResolver: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-tls-test-user-1
namespace: app
spec:
entryPoints:
- web
routes:
- kind: Rule
# Matching using HostHeader and the extracted X-Traefik-Username
match: Host(`app.sie.demo.traefiklabs.tech`) && Headers(`X-Traefik-Username`, `testuser1`)
services:
- name: app-v1
namespace: app
port: 80
middlewares:
- name: ratelimit-1
In that example, the first IngressRoute is responsible for just authenticating the user, then the request is being forwarded again to Traefik for further processing. Please note the service name traefik-proxy-svc-internal.
The second Ingressroute is used in the matching rule Headers to check the user name and add another middleware for that specific user, rate limit in that case.
That example does not match exactly the challenge you described but should give you an idea of how to create the final solution.
Hope that helps, let me know.
Cheers! Jakub