statusRewrites in errors not changing HTTP return code (conditional redirect on forward-auth 401)

Traefik Traefik v3 (latest)
,
1

Using Traefik version 3.3 in k8s

I'm using oauth2-proxy for forward auth. Auth is set up and working well, as is forward auth (401 if not auth'd, requested page if auth'd)

I have two questions around how Traefik's middlewares work with the below setup

  1. Why can I only get the "error page" (in this case, the login page) to return when the auth-redirect middleware is on the top of the stack? When it comes after the forward-auth middleware, the error page doesn't pick up (and all i get back is a 401 with no body)
  2. My statusRewrites option for my errors middleware doesn't appear to work - is my expectation that the 401 being returned by forward auth be turned into a 302 when sent back to the user incorrect here? With it set like this, I get my redirect body & header back, but the http status code is still a 401 (not a 302)

The goal basically is to have a way to conditionally enforce a browser-based redirect workflow for auth when a given ingress route has the auth-redirect middlewar applied. Eventually, I'll turn this into a chain

Here are the two middlewares I have defined

---
# Tests whether this request is auth'd. Returns a 401 to user if not
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth
spec:
  forwardAuth:
    address: "http://oauth2-proxy.traefik.svc.cluster.local/oauth2/auth"
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
---
# If applied to an ingressroute with the above, 
#   return a 302 redirect for login if 401 from forwardauth
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: auth-redirect
spec:
  errors:
    status:
      - "401"
    service:
      name: oauth2-proxy
      port: 80
    query: "/oauth2/start?rd={url}"
    statusRewrites:
      "401": 302

And here's my IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - match: Host(`whoami.testdomain.blah`)
    kind: Rule
    middlewares: # Note the order here - inverting this order results in empty body 401
    - name: auth-redirect
      namespace: traefik
    - name: forward-auth
      namespace: traefik
    services:
    - name: whoami
      port: 80
2

The second question of the two is the most pertinent / important one. The first is just curiosity

3

That moment when you realize you're running an old version, looking at the latest docs .

statusRewrites requires 3.4+