Does anyone know if its possible to have a forward auth server for a domain (https://example.domain.com) but not have authentication required for an api on the same domain (https://example.domain.com/api/)?
I currently have an app frontend behind google auth for web access but the app also has an api that is accessible through a token except
traefik.frontend.auth.forward.address
obviously puts auth on the entire domain and all sub-pages.
Any help would be appreciated.
@saltystew94,
You can create two frontends, one with auth, and the other without.
Make sure the one without only matches on /api
, and give it a higher priority, so it matches first.
That will allow you to access the api without auth.
When you say two frontends do you mean have two frontend.rule entries on the container as shown below?
traefik.ui.frontend.rule=Host:example.domain.com
traefik.ui.frontend.auth.forward.address=http://traefik-forward-auth:4181
traefik.ui.frontend.priority=10
traefik.api.frontend.rule=Host:example.domain.com;Path:/api
traefik.api.frontend.priority=5
Yes, you have to use segments to provide different middleware to different frontends.
(https://docs.traefik.io/v1.7/configuration/backends/docker/#on-containers-with-multiple-ports-segment-labels)
In your case, you would want 2 segments, one matching api, one not. The segment priorities can be set independently.
Of note, you can use the same port (eg. 80) for multiple segments.
I seem to be missing something because although I can get to example.domain.com behind the auth and I still get 401 if I visit the normal site, example.domain.com/api also still shows 401.
This is what I'm using for one container that I need api access from, am I missing something?
traefik.ui.backend=app_name
traefik.ui.frontend.rule=Host:example.domain.com
traefik.api.frontend.priority=10
traefik.api.weight=5
traefik.ui.frontend.auth.forward.address=http://traefik-forward-auth:4181
traefik.ui.frontend.auth.forward.trustForwardHeader=true
traefik.ui.protocol=http
traefik.ui.port=8181
traefik.ui.docker.network=external
traefik.ui.domain=domain. com
traefik.api.backend=app_name
traefik.api.frontend.rule=Host:example.domain.com;Path:/api
traefik.api.frontend.priority=5
traefik.api.weight=10
traefik.api.protocol=http
traefik.api.port=8181
traefik.api.docker.network=external
traefik.api.domain=domain. com
If I open the app on a local browser and go to http://localhost:8181/api I can see the api fine from there.
I had to put spaces in the links else it wouldn't let me post.
Thanks for the quick responses so far.
Hello @saltystew94,
You have a bunch of unneeded labels.
Try this:
traefik.ui.frontend.rule=Host:example.domain.com
traefik.ui.frontend.priority=10
traefik.ui.frontend.auth.forward.address=http://traefik-forward-auth:4181
traefik.ui.frontend.auth.forward.trustForwardHeader=true
traefik.ui.port=8181
traefik.api.frontend.rule=Host:example.domain.com;Path:/api
traefik.api.frontend.priority=100
traefik.api.port=8181
traefik.docker.network=external
Note that the traefik.docker.network
is not segmented, and that priorities are handled explicitly (aka 100 is matched before 10).
My mistake, I guess the issue would've been the docker.network in the least then.
Its working well now, I really do appreciate the help!
Hey,
The rules are working great except I've noticed that if I wanted to access example .domain .com/api/example then it still gets blocked, is there a way to allow any sites below /api?
Thanks
Hello @saltystew94, use the PathPrefix
rule instead of Path
, as Path
is an exact match, and the other is a prefix matcher.