Ive been banging my head against an auth issue. I am using Traefik + traefik-forward-auth + Keycloak.
traefik-forward-auth populates the following header "X-Forwarded-User". This header is appearing in the logs with the correct value while creating the route to the service. It also gets shown on whoami.
traefik-forward-auth:
image: ghcr.io/jordemort/traefik-forward-auth:latest
container_name: traefik-forward-auth
restart: unless-stopped
......
environment:
......
volumes:
- ./traefik-fwa-config.ini:/config/traefik-fwa-config.ini
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.rule=Host(`.....`)"
- "traefik.http.routers.traefik-forward-auth.tls.certresolver=cert"
whoami:
image: containous/whoami
container_name: whoami
restart: unless-stopped
networks:
Media:
ipv4_address: ......
labels:
- "traefik.enable=true"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.rule=Host(`......`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=cert"
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
The Service im trying to use this auth on is GitHub - causefx/Organizr: HTPC/Homelab Services Organizer - Written in PHP
Logs on this Service show "Header not set". The default traefik X-Forwarded- Headers all get properly populated and the Proxy auth is confirmed working using one of those Headers.
If i make a direct call to organizr api using curl inside the docker container with the X-Forwarded-User the auth goes through. Even a direct call to the api from the browser javacript console is working.
TL.DR Somewhere along the way traefik drops the forwarded header.
I even tried the following commands:
#- "--entryPoints.web.forwardedHeaders.trustedIPs=0.0.0.0/0"
#- "--entryPoints.web.forwardedHeaders.insecure=true"
#- "--entryPoints.websecure.forwardedHeaders.trustedIPs=0.0.0.0/0"
#- "--entryPoints.websecure.forwardedHeaders.insecure=true"
No dice.
Traefik log snippet (GET Request)
{
"ClientAddr": "*********",
"ClientHost": "************",
"ClientPort": "58782",
"ClientUsername": "-",
"DownstreamContentSize": 21,
"DownstreamStatus": 499,
"Duration": 1522212,
"OriginContentSize": 21,
"OriginDuration": 1408610,
"OriginStatus": 499,
"Overhead": 113602,
"RequestAddr": "**********",
"RequestContentSize": 0,
"RequestCount": 158,
"RequestHost": "**************",
"RequestMethod": "GET",
"RequestPath": "/plugins/images/tabs/plex.png",
"RequestPort": "-",
"RequestProtocol": "HTTP/2.0",
"RequestScheme": "https",
"RetryAttempts": 0,
"RouterName": "organizr@docker",
"ServiceAddr": "**********",
"ServiceName": "organizr@docker",
"ServiceURL": {
"Scheme": "http",
"Opaque": "",
"User": null,
"Host": "*********",
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"StartLocal": "2023-06-26T20:55:22.80216073+02:00",
"StartUTC": "2023-06-26T18:55:22.80216073Z",
"TLSCipher": "TLS_AES_128_GCM_SHA256",
"TLSVersion": "1.3",
"entryPointName": "websecure",
"level": "info",
"msg": "",
"request_Accept": "image/avif,image/webp,*/*",
"request_Accept-Encoding": "gzip, deflate, br",
"request_Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"request_Cookie": "***********************",
"request_Sec-Fetch-Dest": "image",
"request_Sec-Fetch-Mode": "no-cors",
"request_Sec-Fetch-Site": "same-origin",
"request_Te": "trailers",
"request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0",
"request_X-Forwarded-Host": "************",
"request_X-Forwarded-Port": "443",
"request_X-Forwarded-Proto": "https",
"request_X-Forwarded-Server": "b63dabc28625",
"request_X-Forwarded-User": "******",
"request_X-Real-Ip": "*********",
"time": "2023-06-26T20:55:22+02:00"
}
Treafik Log Snippet (POST Request) This is the one where im supposed to be logged in. Header is missing tho.
{
"ClientAddr": "",
"ClientHost": "",
"ClientPort": "50203",
"ClientUsername": "-",
"DownstreamContentSize": 124,
"DownstreamStatus": 401,
"Duration": 71439408,
"OriginContentSize": 124,
"OriginDuration": 71317622,
"OriginStatus": 401,
"Overhead": 121786,
"RequestAddr": "",
"RequestContentSize": 0,
"RequestCount": 1951,
"RequestHost": "",
"RequestMethod": "POST",
"RequestPath": "/api/v2/login",
"RequestPort": "-",
"RequestProtocol": "HTTP/2.0",
"RequestScheme": "https",
"RetryAttempts": 0,
"RouterName": "organizr@docker",
"ServiceAddr": "172.20.1.7:80",
"ServiceName": "organizr@docker",
"ServiceURL": {
"Scheme": "http",
"Opaque": "",
"User": null,
"Host": "",
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"StartLocal": "2023-06-27T10:21:56.861473224+02:00",
"StartUTC": "2023-06-27T08:21:56.861473224Z",
"TLSCipher": "TLS_AES_128_GCM_SHA256",
"TLSVersion": "1.3",
"downstream_Content-Type": "application/json;charset=UTF-8",
"downstream_Date": "Tue, 27 Jun 2023 08:21:56 GMT",
"downstream_Server": "nginx",
"entryPointName": "websecure",
"level": "info",
"msg": "",
"origin_Content-Type": "application/json;charset=UTF-8",
"origin_Date": "Tue, 27 Jun 2023 08:21:56 GMT",
"origin_Server": "nginx",
"request_Accept": "*/*",
"request_Accept-Encoding": "gzip, deflate, br",
"request_Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"request_Content-Length": "0",
"request_Cookie": "",
"request_Formkey": "",
"request_Origin": "",
"request_Referer": "",
"request_Sec-Fetch-Dest": "empty",
"request_Sec-Fetch-Mode": "cors",
"request_Sec-Fetch-Site": "same-origin",
"request_Te": "trailers",
"request_Token": "null",
"request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0",
"request_X-Forwarded-Host": "",
"request_X-Forwarded-Port": "443",
"request_X-Forwarded-Proto": "https",
"request_X-Forwarded-Server": "b63dabc28625",
"request_X-Real-Ip": "",
"request_X-Requested-With": "XMLHttpRequest",
"time": "2023-06-27T10:21:56+02:00"
}
Browser Network traffic shows a 401 on a POST Request to the login api, the Request header does not have "X-Forwarded-User".
So my best guess is somewhere between loading the initial page and sending that post request the forwarded header gets lost.
Help is gladly appreciated, because i really cant wrap my head around this. Thank you