Hello everyone I am trying to setup Error Pages with tarampampam's docker container
but unfortunately I have stumbled upon an issue, traefik doesn’t seem to proxy headers like WWW-Authenticate to the error-pages container, which leads to my backend services not knowing what to do…
Normally you would be prompted for Basic Auth / Bearer Token with WWW-Authenticate: Basic realm=Login Required, Bearer realm=Access Token Required, but in this case this doesn’t happen because the header is missing already missing before it hits the container.
Is there a way to tell traefik to proxy this header to said container?
I know forwardauth exists, but I am not sure if that will really work (because the Error Pages Container returns 400 HTTP Codes not 200 OK, etc.)
Does anyone have any idea how to fix this?
Thanks in advance!
Currently this is my config.yaml setup:
error-pages:
errors:
status:
- "400-599"
service: error-pages-svc@docker
query: "/{status}.html"
What are you trying to achieve? The error service should receive the login data for the original page? That’s probably not happening for security reasons.
In my case traefik is not forwarding the WWW-Authententicate header, but essentially traefik doesn’t forward any header apart from a few selected ones.
The error service should receive the login data for the original page? That’s probably not happening for security reasons.
WWW-Authenticate doesn’t contain any login data, it only contains login methods, example:
WWW-Authenticate: Basic realm=Login Required, Bearer realm=Access Token Required
… Are allowed auth methods.
This header tells the browser to prompt the user for Credentials using Basic Auth.
What I am basically trying to do is the following:
My Webserver needs Basic Auth, so I return the WWW-Authenticate header with the response.
My Browser then shows a popup for me to enter the credentials.
But I want to use custom Error Pages, which on its on works, but now the issue is that the errors middleware doesn’t forward any additional headers, this leads to me seeing the Error Page as expected but since there is no WWW-Authenticate header present my Browser doesn’t prompt me for credentials.
This also applies to backend services.
As they might (in my case one does) rely on feedback if there is auth needed.
The underlying issue is that there should be a way to tell traefik to forward additional headers to the error handler service.
Since there seems to be no workaround other than using a second proxy (NGINX).
I have opened a feature Request: Forward Headers to Error Page (Middleware) · Issue #11957 · traefik/traefik · GitHub
For anyone in the future, visit said feature Request to see if it got implemented.