Question : forwardAuth middleware


Quick question.....
How can I setup the forwardAuth middleware to forward to an internal service?

I have setup a generic auth route on one of the services I have deployed and have to set the forwardAuth middleware to the externally accessible URL i.e.

        - "traefik.http.middlewares.jwt-auth.forwardauth.address=https://<my-exposed-service>.tld/api/v1/auth"

However, because the service exposing the auth route is already deployed to the swarm and traefik is acting as a reverse proxy for this I would think something like the following would be more efficient (in my case)

        - "traefik.http.middlewares.jwt-auth.forwardauth.address=<internal_service>:3000/api/v1/auth"

but this doesn't seem to work i.e. labels don't seem to allow the reference of an internal service by name...

Is this possible ? if so, how can I do this ???

Does anybody from Containous ever look at these issues ?

I have posted 3 questions on here and received precisely 0 responses...!!!! What gives !!!!

Take the question above, how hard could this possibly be for one of the Traefik devs to answer this, it's a simple question.

If we can't come here to get answers to questions, whats the point.....


Still no reply from a single Containous developer on how to do this !!!!!

Is this such a difficult question that NOBODY can answer it ?

Come on guys, a simple example showing this or a simple "no, it can't be done" would be sufficient. But nothing, silence, crickets !!!

This isn't good support by any measurement.


The community forum provide community support, neither Containous nor Traefik maintainers support.

As maintainer, we are free to answer or not, we are a not "open source slaves".

It's not because you think the question or the answer is simple, the answer is really simple or the question is clear.
It's not because you think the question or the answer is simple, that we or others people have to answer.

I recommend to change your approach of open source, community support and how to communicate to get help.

Oh dear.... Upset much !!!

Having spent the last 35 years developing and architecting large scale software solutions and having created, contributed and been an open source advocate for the last 10+ years I can assure you that nobody is expecting you to be an open source "slave" as you put it.

Having developers and contributors regularly look through, and answer, questions on community forums is in no way unusual, especially in the early phases of new projects, of which Traefik V2 definitely is, especially where documentation is still undergoing development.

Until there is enough usage in the wild and documented examples are more freely available you need to expect the community to heavily rely on the developers for answers.

So, even though you bothered to respond, just to admonish me, you still couldn't be bothered to answer the question posted.

Having read through MANY of the questions, and answers, both here, and on other sites, it's blatantly obvious that many people are having a hard time understanding and getting to grips with the changes from V1 to V2 as there are NOT enough examples, at this early stage, for many deployment environments, such as in my case where deploying to Docker Swarm with no TOML files or external configuration yml files i.e. everything deployed using Traefik labels.

If you want to take the high road when users get frustrated then at least publish a full list of possible labels, what they do, and how different values affect them.

And for future reference.... questions on community forums are a good source for improving the documentation going forward. e.g. "here's a scenario we hadn't considered...."

As you are an experimented person, you know that to be friendly is best way to get an answer :wink:

I will assume that it's a forum/web effect and that you are a friendly person.

The forward auth is a Traefik v1 feature, the behavior haven't change with v2.

The traefik.http.middlewares.<xxx>.forwardauth.address reference an URL called by traefik from the traefik container.
So, if your host is resolvable from the traefik container, the address can be reached.

The exhaustive list of all available labels:

Thank you.

And yes, I, like the majority of people, am "mostly" a friendly person :slight_smile: but like "many" people I do get frustrated when some things just don't seem to make sense even after spending quite some time looking for information to help resolve issues.

So I apologise if some of my previous comments came across in a less than friendly way.

Regarding your quote....

What does this mean in real terms ???

For instance, I am perfectly able to access my auth route via setting the forwardauth.address to https://api.mydomain.tld/api/v1/auth which is globally reachable over the internet, not just via the Traefik container.

However, https://api.mydomain.tld, which contains this endpoint, is also proxied via Traefik as a docker service referenced as "api" running on an internal container port 3000.

In this case, it would be reasonable to assume, as all docker swarm services we have deployed can see each other on this particular network, that it should be possible to set the forwardauth.address to directly reference api:3000/api/v1/auth in the swarm and not have Traefik treat this as an external URL and reach out to the wider world of the internet.

The result of setting this to api:3000/api/v1/auth or even http://api:3000/api/v1/auth rather than https://api.mydomain.tld/api/v1/auth actually results in our application not being available in the browser and returning a 404 error even though the traefik, api and application logs show no errors.

Why is this???

For instance, if I want to access a docker deployed instance of mongodb or say redis from another service I could pass mongodb://mongo:27017/ as say an environment variable and not expose mongo outside of the swarm at all.

So in this case lets say I want to deploy a new service "auth" that exposes the endpoint /api/v1/auth but only to other swarm members, how would I reference that from the forwardauth.address seeing as this service is accessible from the Traefik container as it runs on the same docker network ???