Migration from nginx-ingress-controller to traefik

Hi,

I am trying to migrate from nginx-ingress-controller to traefik (v3.6) in a Kubernetes cluster (v1.35). I currently have the following deployment:

keycloak: keycloak.mydomain0.com
oauth2-proxy: oauth2-proxy.mydomain1.com
prometheus: prometheus.mydomain1.com

The oauth2-proxy is configured with this parameters

        - --http-address=0.0.0.0:4180
        - --https-address=0.0.0.0:4443
        - --metrics-address=0.0.0.0:44180
        - --auth-logging=true
        - --cookie-domain=.mydomain1.com
        - --oidc-issuer-url=https://keycloak.mydomain0.com/realms/myrealm
        - --provider=keycloak-oidc
        - --redirect-url=https://oauth2-proxy.mydomain1.com/oauth2/callback
        - --request-logging=true
        - --set-xauthrequest=true
        - --standard-logging=true
        - --whitelist-domain=.mydomain1.com
        - --config=/etc/oauth2_proxy/oauth2_proxy.cfg

Prometheus ingress has the following annotations:

nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.mydomain1.com/oauth2/auth"
      nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.mydomain1.com/oauth2/start?rd=$scheme://$host$request_uri"
      nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-preferred-username, x-auth-request-email"

This setup works as expected.

Now I have deployed traefik and switch to its ingress class. I have created the following middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth
  namespace: monitoring
spec:
  forwardAuth:
    address: https://oauth2-proxy.mydomain1.com/oauth2/auth
    maxBodySize: 1048576
    maxResponseBodySize: 10485760
    trustForwardHeader: true
    authResponseHeaders:
      - "X-Auth-Request-Email"
      - "X-Auth-Request-Preferred-Username"
      - "Authorization"

And I have changed the prometheus ingress annotation to:

traefik.ingress.kubernetes.io/router.middlewares: monitoring-forward-auth@kubernetescrd

With this setup if I hit prometheus domain I receive Unauthorized and it does not redirect to keycloak login page… I don’t understand why…

curl -i https://prometheus.mydomain1.com
HTTP/1.1 401 Unauthorized
Content-Length: 13
Content-Type: text/plain; charset=utf-8
Date: Wed, 18 Mar 2026 11:51:25 GMT
X-Content-Type-Options: nosniff

Unauthorized

I have tried to add the following parameters to oauth2-proxy but it does not change the behaviour:
`- --reverse-proxy=true

• --upstream=static://202`

If I understand correctly with v3 I do not need to specify an oauth-errors middleware, authResponseHeaders configuration is sufficient.

Thanks in advance,

Davide

Hi!

From what I could validate, the issue seems to be related to the ForwardAuth address pointing to /oauth2/auth.

This endpoint appears to be designed for nginx’s auth_request model. In that flow, it returns a 401 for unauthenticated requests, and nginx internally converts that into a redirect.
Traefik, however, does not do this conversion — it simply forwards the 401 to the browser, so the redirect to Keycloak never happens.

Fix 1

Update the ForwardAuth address to use the root endpoint instead of /oauth2/auth:

spec:
  forwardAuth:
    address: https://oauth2-proxy.mydomain1.com/
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-Email
      - X-Auth-Request-Preferred-Username

At /, oauth2-proxy returns a 302 redirect to Keycloak for unauthenticated requests, which Traefik correctly forwards to the browser.

Fix 2

In oauth2-proxy, you may also want to set:

skip_provider_button = true
reverse_proxy = true

With skip_provider_button = false, unauthenticated requests to / can return a 403 with an HTML sign-in page, which Traefik renders instead of redirecting.

Bonus

If you're using the public domain in the ForwardAuth address, oauth2-proxy may build the rd (return-to) parameter using its own domain instead of your application’s domain.

To avoid

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.