I run a service behind Traefik that needs credentials (provided by the client) in the Proxy-Authorization header, which is not passed on to the service (appears to be removed by Traefik).
Is there a way to configure Traefik to pass this client header through to the service?
I second this. My setup has the same requirement: Setup with Traefik / Issue with Proxy-Authorization header for services on another host · authelia/authelia · Discussion #6542 · GitHub.
I found out that this is not actually done by Traefik directly, but by the underlying Go library: go/src/net/http/httputil/reverseproxy.go at f19f31f2e7c136a8dae03cbfe4f8ebbb8b54569b · golang/go · GitHub.
net/http/httputil: ReverseProxy can remove headers added by Director · Issue #50580 · golang/go · GitHub fixed the issue that this removal of the header(s) couldn't be prevented; a new function Rewrite allows more control compared to the older Director function. Unfortunately Traefik doesn't use the Rewrite function as of now: traefik/pkg/server/service/proxy.go at 6c19a9cb8fb9e41a274bf712580df3712b69dc3e · traefik/traefik · GitHub.
I'm not very familiar with Traefik and/or Go, but I think it should be possible to add a configuration option to Traefik to pass-through the Proxy-Authorization header after switching to the Rewrite function. As an alternative (as this is quite the security-breaking feature/proposal, overriding the hop-by-hop header concept) maybe this can be implemented via a (Traefik) middleware (this would still require a switch to the Rewrite function).
@tomhe_arr since it's been 2 years: Did you solve this with some workaround or similar?
... I'm unsure if I should open an issue on the GitHub for this feature propsal ...
Other useful/similar links I found:
If you want this functionality and it’s a feature, not a bug, then you probably need to open a feature request, to see if this is something they would be even willing to include.
Alternatively you may be able to copy the header to a different name (and later back if required) with a plugin like this.
In my naivety, I tried to implement this myself, but it didn't work: Comparing v2.10.7...6aba0e9d43154a800c7e1c3f6052fc66e9317a0c · traefik/traefik · GitHub