Chain middleware forward auth failover

Traefik Traefik v2
1

Hello,

First time posting here.

We have a middleware server which we forward requests to for authentication/authorization (authelia). We have no issues with the setup. We desire to have a secondary authelia server for backup purposes but would be convenient for traefik to automatically forward authentication to the active server automatically whether that be the primary or secondary.

My understanding is that chain middleware is serial, meaning after it finishes a group, it will go to the next. I also saw circuitbreaker but not sure if that would accomplish what I'm looking for.

Below is my config with both authelia/authelia2 middlewares.

http:
  middlewares:
    authelia:
      forwardAuth:
        address: "http://login.domain.net:9091/api/verify?rd=https://login.domain.net"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"
        tls:
          ca: "/opt/certs_repo/certs/domain.net.ca-bundle"
          cert: "/opt/certs_repo/certs/server.crt"
          key: "/opt/certs_repo/certs/server.key"
    authelia2:
      forwardAuth:
        address: "http://login2.domain.net:9091/api/verify?rd=https://login2.domain.net"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"
        tls:
          ca: "/opt/certs_repo/certs/domain.net.ca-bundle"
          cert: "/opt/certs_repo/certs/server.crt"
          key: "/opt/certs_repo/certs/server.key"
    authelia-chain:
      chain:
        middlewares:
          - authelia@file
          - authelia2@file
  routers:
    grafana-http:
      rule: 'Host(`grafana.domain.net`)'
      entryPoints:
        - http-insecure
      service: grafana
      middlewares:
        - https-redirect
    grafana-https:
      rule: 'Host(`grafana.domain.net`)'
      entryPoints:
        - https-secure
      service: grafana
      middlewares:
        - authelia-chain@file
        - headers-chain@file
      tls:
        domains:
          - main: "domain.net"
            sans:
              - "*.domain.net"
  services:
    grafana:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000"

With the above, a user MUST login into both middlewares before accessing the service. It would be nice if it were authelia middleware else authelia2 middleware.

Is this even possible?

Hope i was clear.
Any input is much appreciated.

Best,
Dave

2

Interesting problem. The challenge is how do you determine which one to use? My first thought was that when using Docker (Swarm), you could just setup 2 replicas and Traefik would connect to one via the Docker internal DNS. If one fails or it's unhealthy, it's removed from DNS.

3

Thank you for replying.

We dont use docker swarm so not sure how that would work.

Our authelia servers are on docker but on two geographical locations (main TER/ backup TER).

But to know which one to hit, would be from a top down approach.
Hit first on the list, if down, hit second.

But im just stating what we need, not what traefik can or cannot do.

4

This sounds like what im looking for, but the issue has been open for a few years now…