I had issue with forwardAuth not working and wanted to implement a service using our own application server as authentication service instead of the google auth service.
I'm configuring traefik with those 3 labels:
- traefik.http.routers.my_app.rule = Host(
app.example.com
) - traefik.http.middlewares.auth.forwardauth.address = https://auth.example.com/web/forward_auth
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader = true
- traefik.http.routers.my_app.middlewares = auth@docker
So far so good, when I access my router I do get inside my auth service at the right url but...There's the thing I'm not exactly sure to understand.
{
'wsgi.version': (1, 0),
'wsgi.url_scheme': 'https',
'wsgi.input': <_io.BufferedReader name=12>,
'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>,
'wsgi.multithread': False,
'wsgi.multiprocess': False,
'wsgi.run_once': False,
'werkzeug.server.shutdown': <function WSGIRequestHandler.make_environ.<locals>.shutdown_server at 0x7fe5111799d8>,
'SERVER_SOFTWARE': 'Werkzeug/0.16.0',
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': '',
'PATH_INFO': '/web/forward_auth',
'QUERY_STRING': '',
'REQUEST_URI': '/web/forward_auth',
'RAW_URI': '/web/forward_auth',
'REMOTE_ADDR': '172.18.0.1',
'REMOTE_PORT': 60002,
'SERVER_NAME': '127.0.0.1',
'SERVER_PORT': '35127',
'SERVER_PROTOCOL': 'HTTP/1.1',
'HTTP_HOST': 'auth.example.com',
'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5',
'HTTP_COOKIE': 'session_id=876876876',
'HTTP_UPGRADE_INSECURE_REQUESTS': '1',
'HTTP_X_FORWARDED_FOR': '172.18.0.1',
'HTTP_X_FORWARDED_HOST': 'auth.example.com',
'HTTP_X_FORWARDED_PORT': '443',
'HTTP_X_FORWARDED_PROTO': 'https',
'HTTP_X_FORWARDED_SERVER': 'proxy.example.com',
'HTTP_X_REAL_IP': '172.18.0.1',
'werkzeug.proxy_fix.orig': {
'REMOTE_ADDR': '10.0.0.21',
'wsgi.url_scheme': 'http',
'HTTP_HOST': 'auth.example.com',
'SERVER_NAME': '127.0.0.1',
'SERVER_PORT': '35127',
'SCRIPT_NAME': ''},
'werkzeug.proxy_fix.orig_remote_addr': '10.0.0.21',
'werkzeug.proxy_fix.orig_wsgi_url_scheme': 'http',
'werkzeug.proxy_fix.orig_http_host': 'auth.example.com',
'werkzeug.request': <Request 'https://dockydoo.odoo.plus/web/forward_auth' [GET]>
}
So here's the problem, it seems that the request goes into traefik, goes into the middleware up to the auth.example.com server, but when the request is made, I have absolutely no information regarding the initial request being forwarded from app.example.com
.
Is there a way to check if it's my service that somehow strip the request headers and keep only one of them instead of keeping all the possible HTTP_X_FORWARDED_*
My guess is that traefik calls the request through the loadbalancer reenter traefik and as traefik is running as a proxy it does override HTTP_X_FORWARDED_HOST and set the new one instead.
Is it what's happening? I see there's a configuration names PassHostHeader and was wondering if it could be used in combination with the /auth rule to prevent overriding it.