Setting proxy headers

We are in process of moving from NGINX to Traefik and we stumbled across an issue.

We are using Pusher's OAuth2 proxy and everything works fine so far except for Grafana where we want to pass a certain header from OAuth service to Grafana so a user can login automatically.

Here is a piece of configuration for Grafana:

[auth.proxy]
enabled = true
header_name = X-Email
header_property = email
auto_sign_up = true

For NGINX, we have a following location block defined:

  location /grafana/ {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://grafana:3000/;
  }

The most important lines what we want to achieve with Traefik are following:

auth_request_set $email  $upstream_http_x_auth_request_email;
proxy_set_header X-Email $email;

Is it possible to do same with Traefik (pass at-least X-Auth-Request-Email header to Grafana service) ? Could not find much information from documentation about that.

2 Likes

Hello,
Did you have any feedback ?
I have the same question on my side as I need to get a JWT from the external Auth Provider and then use that one in the request header:

auth_request /auth;
auth_request_set $jwt $upstream_http_jwt;
proxy_set_header "Authorization" "jwt $jwt";

@genert , Did you get a solution for setting the proxy headers?. I am also looking for the same solution. Please post here if you have anything?

Anyone figure this out?