Redirect or block route based on X-Forwarded-User header

f-steff · May 18, 2023, 6:26am

I've recently set up traefik-forward-auth using ghcr.io/jordemort/traefik-forward-auth (Repository at GitHub - jordemort/traefik-forward-auth: Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy), so domain users can now access docker containers with MFA provided by Azure.

This means it's possible to gate access to services in simple manners directly in my docker-compose.yml file, such as this for the whoami service:

    labels:
            - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

Following logging in, I now have the X-Forwarded-User header, which contains the logged-in users email address and can be used to identify the user. However, in some cases I'd like to redirect some (non admin) users away from certain services. I assume it should be possible by using something like this in the whoami docker-compose.yml:

    labels:
            - "traefik.http.routers.whoami.middlewares=traefik-forward-auth, redirect-non-administrators"

I expected it would be a breeze to define the redirect-non-administrators middleware, directly in the labels of the traefik docker-compose.yml, using some variation of headersregexp to match the users, something like this:

    labels:
            - "traefik.http.middlewares.redirect-non-administrators.redirectregexy.headersregexp=X-Forwarded-User:^(foo|bar)@company\\.com$$" 
            # And ...

I've now spent a whole day trying variants of this, and while I can overwrite the header, I can't find a way to actually trigger anything based on the contents on the header.

Now I'd even settle for the "Not authorized" response, but even that I can't manage.

I'd be really grateful for some examples of how to accomplish this.

bluepuma77 · May 18, 2023, 5:35pm

You got a spelling mistake redirectregexy and not sure where you got headersregexp from, that does not seem to exist (docs, reference).

You could create an additional router with a header match as explained here in the community. The header match rule would be longer, therefore get higher priority and would be checked first.

f-steff · May 18, 2023, 11:10pm

Thank you, @bluepuma77 .

I should have been more clear. The last definition I made was wishful thinking - it's to illustrate what I hoped would be possible. It was based on Routers | Traefik | v2.0

I had already noticed the Host(domain.com) && HeadersRegexp(X-something, SomeValue)` suggestion, but find it very inflexible, and was hoping to find something I could keep in the middleware route, where it IMHO make more sense: "Get_the_value, check_the_value". Also, it would allow me to make one definition in the traefik docker-compose.yml, and just refer to it in all other containers docker-compose.yml, instead of having to redefine it every time I need it.

I'm still hoping it's possible to define the middleware check using traefik build-in primitives.

Topic		Replies	Views
Middleware forwardauth does not apply Traefik v2 file	12	4810	October 1, 2019
Authentication & Authorization with Traefik v2 Traefik v2 kubernetes-crd , middleware	1	950	February 22, 2022
Traefik does not appear to set X-Forwarded headers correctly for forward auth Traefik v2 docker , middleware	0	379	April 15, 2023
Forward hard-coded basic auth to some service? Traefik v2 docker	3	1047	July 14, 2021
Redirect non-existing site Traefik v2 docker	12	1592	October 28, 2021

Redirect or block route based on X-Forwarded-User header

Related topics