Setting proxy headers

genert · March 8, 2020, 9:36pm

We are in process of moving from NGINX to Traefik and we stumbled across an issue.

We are using Pusher's OAuth2 proxy and everything works fine so far except for Grafana where we want to pass a certain header from OAuth service to Grafana so a user can login automatically.

Here is a piece of configuration for Grafana:

[auth.proxy]
enabled = true
header_name = X-Email
header_property = email
auto_sign_up = true

For NGINX, we have a following location block defined:

  location /grafana/ {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://grafana:3000/;
  }

The most important lines what we want to achieve with Traefik are following:

auth_request_set $email  $upstream_http_x_auth_request_email;
proxy_set_header X-Email $email;

Is it possible to do same with Traefik (pass at-least X-Auth-Request-Email header to Grafana service) ? Could not find much information from documentation about that.

luc.juggery · May 25, 2020, 9:20am

Hello,
Did you have any feedback ?
I have the same question on my side as I need to get a JWT from the external Auth Provider and then use that one in the request header:

auth_request /auth;
auth_request_set $jwt $upstream_http_jwt;
proxy_set_header "Authorization" "jwt $jwt";

shiak · January 17, 2021, 9:36pm

@genert , Did you get a solution for setting the proxy headers?. I am also looking for the same solution. Please post here if you have anything?

muddro1 · January 17, 2022, 1:22pm

Anyone figure this out?

Topic		Replies	Views
Allow to conditionally add request headers Traefik v2 docker	0	1174	February 3, 2020
Proxies the authorization header in Traefik Traefik v2 kubernetes-ingress , middleware	1	2113	January 21, 2021
Proxy response cookie Traefik v2 docker , file	0	980	February 19, 2021
Cookie "_oauth2_proxy" not present when using OAuth2 with Traefik Traefik v2 docker , docker-swarm	0	3047	May 10, 2021
Add proxy_set_header Authorization in Traefik Traefik v2 middleware	5	5019	October 29, 2021

Setting proxy headers

Related topics