Traefik 2.0 middleware does not apply

mel · October 7, 2019, 9:36pm

I am trying to use the forwardauth middleware but I can't seem to get it to work. I am using authelia for LDAP authentication and I'd like to send requests to that container. My docker-compose.yml looks like this

version: "3.7"

services:
  auth:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`example.com`)"
      - "traefik.http.routers.auth.entrypoints=auth"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro
  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.auth.address=:9091"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "9091:9091"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://example.com:9091"

When I go to http://example.com, shouldn't the requests be forwarded to http://example.com:9091? But it shows me information about the whoami container.

ldez · October 7, 2019, 9:39pm

Hello,

you have to define 2 different rules instead of the same rule.

version: "3.7"

services:

  auth:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`authelia.example.com`)"
      - "traefik.http.routers.auth.entrypoints=auth"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.auth.address=:9091"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "9091:9091"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://authelia.example.com"

mel · October 7, 2019, 9:46pm

Thanks for the response. entrypoint on authelia is 9091 and the entrypoint on whoami is 80. Does that not make 2 different rules, since they are listening on different ports?

mel · October 7, 2019, 10:55pm

Oh, that is just a host rule so it's not looking at the port.

mel · October 7, 2019, 11:13pm

When I update it like you suggested

version: "3.7"

services:

  auth:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`auth.example.com`)"
      - "traefik.http.routers.auth.entrypoints=auth"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.auth.address=:9091"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "9091:9091"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://auth.example.com"

I see this error from traefik

traefik_1  | time="2019-10-07T23:02:36Z" level=debug msg="Remote error http://auth.example.com. StatusCode: 404" middlewareName=authme@docker middlewareType=ForwardedAuthType

I think that is because authelia is listening on port 9091. When I update the forwardauth address to include port 9091

      - "traefik.http.middlewares.authme.forwardauth.address=http://auth.example.com:9091"

It bypasses the middleware and shows me the whoami webpage, and I see this in the traefik logs

traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"auth.example.com:9091\"],\"X-Forwarded-Port\":[\"9091\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"192.168.96.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.example.com:9091\",\"Form\":null,\"PostForm\":null,"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.96.1:43744\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"auth.example.com:9091\"],\"X-Forwarded-Port\":[\"9091\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"192.168.96.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.example.com:9091\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.96.1:43744\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://192.168.96.6:9091"
traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"auth.example.com:9091\"],\"X-Forwarded-Port\":[\"9091\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"192.168.96.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.example.com:9091\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.96.1:43744\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:51984\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://192.168.96.4:80" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:51984\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1  | time="2019-10-07T23:04:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"1e108ee0c6dc\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PoForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:51984\",\"RequestURI\":\"/\",\"TLS\":null}"

ldez · October 7, 2019, 11:53pm

version: "3.7"

services:

  auth:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`example.com`)"
      - "traefik.http.routers.auth.entrypoints=auth"
      - "traefik.http.services.auth.loadBalancer.server.port=:9091"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.auth.address=:9091"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "9091:9091"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://example.com:9091"

or

version: "3.7"

services:

  auth:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`authelia.example.com`)"
      - "traefik.http.routers.auth.entrypoints=web"
      - "traefik.http.services.auth.loadBalancer.server.port=:9091"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://authelia.example.com"

mel · October 8, 2019, 1:12am

Hello, I tried both versions and I see a bad gateway error.

traefik_1  | time="2019-10-08T01:04:38Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp: lookup 192.168.240.3:: no such host"
traefik_1  | time="2019-10-08T01:04:38Z" level=debug msg="Remote error http://auth.example.com. StatusCode: 502" middlewareName=authme@docker middlewareType=ForwardedAuthType

That is the internal IP address of the authelia container.

CVJoint · October 8, 2019, 8:56am

Hello,

The way I do forward auth is by taking advantage of Docker's networking to identify the container route. I've never done it over http traffic though, and when I was looking into Authelia they hadn't gotten it to work with Traefik yet, but I've read it does work now. Could you try:

version: "3.7"

services:

  authelia:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`authelia.example.com`)"
      - "traefik.http.routers.auth.entrypoints=web"
      - "traefik.http.services.auth.loadBalancer.server.port=:9091"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://authelia:9091"
      - "traefik.http.middlewares.authme.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.authme.forwardauth.authresponseheaders=X-Forwarded-User"

With the forward auth container that I use (thomseddon/traefik-forward-auth) I also have to add those last 3 forward auth lines to my container (which would be Authelia in this case). If the above doesn't work for you, try to add the following line to your authelia container:

- "traefik.http.routers.auth.middlewares=authme"

mel · October 8, 2019, 3:55pm

Hello, thanks for the reply. I tried those but unfortunately it is still bypassing the middleware.

Attaching to authelia_traefik_1                                                                                                                                                                                                                traefik_1   | time="2019-10-08T15:51:42Z" level=info msg="Configuration loaded from flags."
traefik_1   | time="2019-10-08T15:51:42Z" level=info msg="Traefik version 2.0.1 built on 2019-09-26T16:18:03Z"
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{\"insecure\":true}},\"websecure\":{\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{\"insecure
\":true}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"                                                                                                                                                   traefik_1   | time="2019-10-08T15:51:42Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"               traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="No default certificate, generating one"
traefik_1   | time="2019-10-08T15:51:42Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Start TCP Server" entryPointName=web                                                                                                                                                traefik_1   | time="2019-10-08T15:51:42Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"                                                                                                                                                                                                                                         traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Provider connection established with docker 19.03.1 (API 1.40)" providerName=docker
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-authelia-74a646ecc808454696f2d749ea59a1e38db53c4b3c5cc0e6a49e96791a445928
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1   | time="2019-10-08T15:51:42Z" level=debug msg="No default certificate, generating one"
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Provider event received {Status:start ID:838d2b6e5221517815d66d929a0cb62cd2e6f8b90f4c9c607dc71f4aba3a1c1c From:containous/whoami Type:container Action:start Actor:{ID:838d2b6e52215
17815d66d929a0cb62cd2e6f8b90f4c9c607dc71f4aba3a1c1c Attributes:map[com.docker.compose.config-hash:2244534b4127756dde755dc105967f57aba4af0e93d3537a03a7a8d9b0eca790 com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.do
cker.compose.project:authelia com.docker.compose.service:whoami com.docker.compose.version:1.24.1 image:containous/whoami name:whoami traefik.enable:true traefik.http.middlewares.authme.forwardauth.address:http://authelia:9091 traefik.http
.middlewares.authme.forwardauth.authresponseheaders:X-Forwarded-User traefik.http.middlewares.authme.forwardauth.trustforwardheader:true traefik.http.routers.whoami.middlewares:authme traefik.http.routers.whoami.rule:Host(`example.com`)]}
Scope:local Time:1570549903 TimeNano:1570549903145202383}" providerName=docker
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Filtering disabled container" container=traefik-authelia-74a646ecc808454696f2d749ea59a1e38db53c4b3c5cc0e6a49e96791a445928 providerName=docker
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"middlewares\":[\"authme\"],\"service\":\"whoami-authelia\",\"rule\":\"Host(`example.com`)\"}},\"m
iddlewares\":{\"authme\":{\"forwardAuth\":{\"address\":\"http://authelia:9091\",\"trustForwardHeader\":true,\"authResponseHeaders\":[\"X-Forwarded-User\"]}}},\"services\":{\"whoami-authelia\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http
://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Provider event received {Status:start ID:55913c6526b2e23dd9de8856c1bb6c2c791fb7dd834491102209b9d386f1a56d From:clems4ever/authelia:v3.15.0 Type:container Action:start Actor:{ID:559
13c6526b2e23dd9de8856c1bb6c2c791fb7dd834491102209b9d386f1a56d Attributes:map[com.docker.compose.config-hash:04742b99e76f06141f2f9a8adfff8e336411f6ab94bcd8701b3d146653066005 com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:authelia com.docker.compose.service:authelia com.docker.compose.version:1.24.1 image:clems4ever/authelia:v3.15.0 name:authelia traefik.enable:true traefik.http.routers.auth.entrypoints:web traefik.http.routers.auth.rule:Host(`auth.example.com`) traefik.http.services.auth.loadBalancer.server.port::9091]} Scope:local Time:1570549904 TimeNano:1570549904241470125}" providerName=docker                                                                traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-authelia-74a646ecc808454696f2d749ea59a1e38db53c4b3c5cc0e6a49e96791a445928                                       traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"auth\":{\"entryPoints\":[\"web\"],\"service\":\"auth\",\"rule\":\"Host(`auth.example.com`)\"},\"whoami\":{\"m
iddlewares\":[\"authme\"],\"service\":\"whoami-authelia\",\"rule\":\"Host(`example.com`)\"}},\"middlewares\":{\"authme\":{\"forwardAuth\":{\"address\":\"http://authelia:9091\",\"trustForwardHeader\":true,\"authResponseHeaders\":[\"X-Forwarded-User\"]}}},\"services\":{\"auth\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.4::9091\"}],\"passHostHeader\":true}},\"whoami-authelia\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker                                                                                                                                                                                                   traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [websecure traefik web]" routerName=whoami@docker                                                          traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" serviceName=auth middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=auth@docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=auth@docker serviceName=auth                                                                                                  traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating server 0 http://172.24.0.4::9091" serviceName=auth serverName=0 entryPointName=web routerName=auth@docker                                                                  traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Added outgoing tracing middleware auth" middlewareName=tracing middlewareType=TracingForwarder routerName=auth@docker entryPointName=web                                            traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" serviceName=whoami-authelia middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=whoami@docker                                    traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=whoami@docker serviceName=whoami-authelia
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating server 0 http://172.24.0.2:80" entryPointName=web routerName=whoami@docker serviceName=whoami-authelia serverName=0                                                        traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Added outgoing tracing middleware whoami-authelia" entryPointName=web routerName=whoami@docker middlewareName=tracing middlewareType=TracingForwarder                               traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" routerName=whoami@docker middlewareType=ForwardedAuthType middlewareName=authme@docker entryPointName=web                                                      traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Adding tracing to middleware" routerName=whoami@docker middlewareName=authme@docker entryPointName=web                                                                              traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery                                                                      traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery                                                                        traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="No default certificate, generating one"                                                                                                                                             
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Provider event received {Status:start ID:838d2b6e5221517815d66d929a0cb62cd2e6f8b90f4c9c607dc71f4aba3a1c1c From:containous/whoami Type:container Action:start Actor:{ID:838d2b6e5221517815d66d929a0cb62cd2e6f8b90f4c9c607dc71f4aba3a1c1c Attributes:map[com.docker.compose.config-hash:2244534b4127756dde755dc105967f57aba4af0e93d3537a03a7a8d9b0eca790 com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:authelia com.docker.compose.service:whoami com.docker.compose.version:1.24.1 image:containous/whoami name:whoami traefik.enable:true traefik.http.middlewares.authme.forwardauth.address:http://authelia:9091 traefik.http.middlewares.authme.forwardauth.authresponseheaders:X-Forwarded-User traefik.http.middlewares.authme.forwardauth.trustforwardheader:true traefik.http.routers.whoami.middlewares:authme traefik.http.routers.whoami.rule:Host(`example.com`)]} Scope:local Time:1570549903 TimeNano:1570549903145202383}" providerName=docker
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Filtering disabled container" container=traefik-authelia-74a646ecc808454696f2d749ea59a1e38db53c4b3c5cc0e6a49e96791a445928 providerName=docker
traefik_1   | time="2019-10-08T15:51:43Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"middlewares\":[\"authme\"],\"service\":\"whoami-authelia\",\"rule\":\"Host(`example.com`)\"}},\"middlewares\":{\"authme\":{\"forwardAuth\":{\"address\":\"http://authelia:9091\",\"trustForwardHeader\":true,\"authResponseHeaders\":[\"X-Forwarded-User\"]}}},\"services\":{\"whoami-authelia\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Provider event received {Status:start ID:55913c6526b2e23dd9de8856c1bb6c2c791fb7dd834491102209b9d386f1a56d From:clems4ever/authelia:v3.15.0 Type:container Action:start Actor:{ID:55913c6526b2e23dd9de8856c1bb6c2c791fb7dd834491102209b9d386f1a56d Attributes:map[com.docker.compose.config-hash:04742b99e76f06141f2f9a8adfff8e336411f6ab94bcd8701b3d146653066005 com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:authelia com.docker.compose.service:authelia com.docker.compose.version:1.24.1 image:clems4ever/authelia:v3.15.0 name:authelia traefik.enable:true traefik.http.routers.auth.entrypoints:web traefik.http.routers.auth.rule:Host(`auth.example.com`) traefik.http.services.auth.loadBalancer.server.port::9091]} Scope:local Time:1570549904 TimeNano:1570549904241470125}" providerName=docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-authelia-74a646ecc808454696f2d749ea59a1e38db53c4b3c5cc0e6a49e96791a445928
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"auth\":{\"entryPoints\":[\"web\"],\"service\":\"auth\",\"rule\":\"Host(`auth.example.com`)\"},\"whoami\":{\"middlewares\":[\"authme\"],\"service\":\"whoami-authelia\",\"rule\":\"Host(`example.com`)\"}},\"middlewares\":{\"authme\":{\"forwardAuth\":{\"address\":\"http://authelia:9091\",\"trustForwardHeader\":true,\"authResponseHeaders\":[\"X-Forwarded-User\"]}}},\"services\":{\"auth\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.4::9091\"}],\"passHostHeader\":true}},\"whoami-authelia\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [websecure traefik web]" routerName=whoami@docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" serviceName=auth middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=auth@docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=auth@docker serviceName=auth
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating server 0 http://172.24.0.4::9091" serviceName=auth serverName=0 entryPointName=web routerName=auth@docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Added outgoing tracing middleware auth" middlewareName=tracing middlewareType=TracingForwarder routerName=auth@docker entryPointName=web
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" serviceName=whoami-authelia middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=whoami@docker
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=whoami@docker serviceName=whoami-authelia
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating server 0 http://172.24.0.2:80" entryPointName=web routerName=whoami@docker serviceName=whoami-authelia serverName=0
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Added outgoing tracing middleware whoami-authelia" entryPointName=web routerName=whoami@docker middlewareName=tracing middlewareType=TracingForwarder
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" routerName=whoami@docker middlewareType=ForwardedAuthType middlewareName=authme@docker entryPointName=web
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Adding tracing to middleware" routerName=whoami@docker middlewareName=authme@docker entryPointName=web
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1   | time="2019-10-08T15:51:44Z" level=debug msg="No default certificate, generating one"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://172.24.0.2:80"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" ForwardURL="http://172.24.0.2:80"
traefik_1   | time="2019-10-08T15:52:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Connection\":[\"keep-alive\"],\"Dnt\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\"],\"X-Forwarded-Host\":[\"example.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"74a646ecc808\"],\"X-Real-Ip\":[\"10.18.26.190\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.18.26.190:54604\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"

mel · October 10, 2019, 2:28am

What is the reason to have a loadbalancer in this case?

CVJoint · October 10, 2019, 1:36pm

This is how you define the port that Traefik will direct the request to. By having one, all traffic is sent to that "load balancer", but if you have more than one you get the load balancing function.

Topic		Replies	Views
ForwardAuth on Docker Traefik v2 middleware	0	437	June 20, 2020
Middlewares on all routers but one Traefik v2 middleware	2	1397	May 5, 2020
Forwardauth to Authelia for dynamic file Traefik v2 docker , middleware	1	387	February 13, 2023
Forward auth doesn't redirect back Traefik v2 docker , middleware	1	1016	December 9, 2021
How to implement a forwardAuth service with traefik2 Traefik v2 docker-swarm	2	2223	September 3, 2020

Traefik 2.0 middleware does not apply

Related topics