Redirect or block route based on X-Forwarded-User header

I've recently set up traefik-forward-auth using (Repository at GitHub - jordemort/traefik-forward-auth: Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy), so domain users can now access docker containers with MFA provided by Azure.

This means it's possible to gate access to services in simple manners directly in my docker-compose.yml file, such as this for the whoami service:

            - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

Following logging in, I now have the X-Forwarded-User header, which contains the logged-in users email address and can be used to identify the user. However, in some cases I'd like to redirect some (non admin) users away from certain services. I assume it should be possible by using something like this in the whoami docker-compose.yml:

            - "traefik.http.routers.whoami.middlewares=traefik-forward-auth, redirect-non-administrators"

I expected it would be a breeze to define the redirect-non-administrators middleware, directly in the labels of the traefik docker-compose.yml, using some variation of headersregexp to match the users, something like this:

            - "traefik.http.middlewares.redirect-non-administrators.redirectregexy.headersregexp=X-Forwarded-User:^(foo|bar)@company\\.com$$" 
            # And ...

I've now spent a whole day trying variants of this, and while I can overwrite the header, I can't find a way to actually trigger anything based on the contents on the header.

Now I'd even settle for the "Not authorized" response, but even that I can't manage. :frowning:

I'd be really grateful for some examples of how to accomplish this.

You got a spelling mistake redirectregexy and not sure where you got headersregexp from, that does not seem to exist (docs, reference).

You could create an additional router with a header match as explained here in the community. The header match rule would be longer, therefore get higher priority and would be checked first.

Thank you, @bluepuma77 .

I should have been more clear. The last definition I made was wishful thinking - it's to illustrate what I hoped would be possible. It was based on Routers | Traefik | v2.0

I had already noticed the Host( && HeadersRegexp(X-something, SomeValue)` suggestion, but find it very inflexible, and was hoping to find something I could keep in the middleware route, where it IMHO make more sense: "Get_the_value, check_the_value". Also, it would allow me to make one definition in the traefik docker-compose.yml, and just refer to it in all other containers docker-compose.yml, instead of having to redefine it every time I need it.

I'm still hoping it's possible to define the middleware check using traefik build-in primitives.