Traefik Forwardauth - authResponseHeader is not being sent on POST Request

Traefik Traefik v2
,
1

Ive been banging my head against an auth issue. I am using Traefik + traefik-forward-auth + Keycloak.

traefik-forward-auth populates the following header "X-Forwarded-User". This header is appearing in the logs with the correct value while creating the route to the service. It also gets shown on whoami.

traefik-forward-auth:
    image: ghcr.io/jordemort/traefik-forward-auth:latest
    container_name: traefik-forward-auth
    restart: unless-stopped
     ......
    environment:
     ......
    volumes:
      - ./traefik-fwa-config.ini:/config/traefik-fwa-config.ini
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`.....`)"
      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=cert"

whoami:
    image: containous/whoami
    container_name: whoami
    restart: unless-stopped
    networks:
      Media:
        ipv4_address: ......
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.http.routers.whoami.rule=Host(`......`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=cert"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

The Service im trying to use this auth on is GitHub - causefx/Organizr: HTPC/Homelab Services Organizer - Written in PHP
Logs on this Service show "Header not set". The default traefik X-Forwarded- Headers all get properly populated and the Proxy auth is confirmed working using one of those Headers.

If i make a direct call to organizr api using curl inside the docker container with the X-Forwarded-User the auth goes through. Even a direct call to the api from the browser javacript console is working.

TL.DR Somewhere along the way traefik drops the forwarded header.

I even tried the following commands:

#- "--entryPoints.web.forwardedHeaders.trustedIPs=0.0.0.0/0"
#- "--entryPoints.web.forwardedHeaders.insecure=true"
#- "--entryPoints.websecure.forwardedHeaders.trustedIPs=0.0.0.0/0"
#- "--entryPoints.websecure.forwardedHeaders.insecure=true"

No dice.

Traefik log snippet (GET Request)

{
  "ClientAddr": "*********",
  "ClientHost": "************",
  "ClientPort": "58782",
  "ClientUsername": "-",
  "DownstreamContentSize": 21,
  "DownstreamStatus": 499,
  "Duration": 1522212,
  "OriginContentSize": 21,
  "OriginDuration": 1408610,
  "OriginStatus": 499,
  "Overhead": 113602,
  "RequestAddr": "**********",
  "RequestContentSize": 0,
  "RequestCount": 158,
  "RequestHost": "**************",
  "RequestMethod": "GET",
  "RequestPath": "/plugins/images/tabs/plex.png",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "RouterName": "organizr@docker",
  "ServiceAddr": "**********",
  "ServiceName": "organizr@docker",
  "ServiceURL": {
    "Scheme": "http",
    "Opaque": "",
    "User": null,
    "Host": "*********",
    "Path": "",
    "RawPath": "",
    "OmitHost": false,
    "ForceQuery": false,
    "RawQuery": "",
    "Fragment": "",
    "RawFragment": ""
  },
  "StartLocal": "2023-06-26T20:55:22.80216073+02:00",
  "StartUTC": "2023-06-26T18:55:22.80216073Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "entryPointName": "websecure",
  "level": "info",
  "msg": "",
  "request_Accept": "image/avif,image/webp,*/*",
  "request_Accept-Encoding": "gzip, deflate, br",
  "request_Accept-Language": "de,en-US;q=0.7,en;q=0.3",
  "request_Cookie": "***********************",
  "request_Sec-Fetch-Dest": "image",
  "request_Sec-Fetch-Mode": "no-cors",
  "request_Sec-Fetch-Site": "same-origin",
  "request_Te": "trailers",
  "request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0",
  "request_X-Forwarded-Host": "************",
  "request_X-Forwarded-Port": "443",
  "request_X-Forwarded-Proto": "https",
  "request_X-Forwarded-Server": "b63dabc28625",
  "request_X-Forwarded-User": "******",
  "request_X-Real-Ip": "*********",
  "time": "2023-06-26T20:55:22+02:00"
}

Treafik Log Snippet (POST Request) This is the one where im supposed to be logged in. Header is missing tho.

{
  "ClientAddr": "",
  "ClientHost": "",
  "ClientPort": "50203",
  "ClientUsername": "-",
  "DownstreamContentSize": 124,
  "DownstreamStatus": 401,
  "Duration": 71439408,
  "OriginContentSize": 124,
  "OriginDuration": 71317622,
  "OriginStatus": 401,
  "Overhead": 121786,
  "RequestAddr": "",
  "RequestContentSize": 0,
  "RequestCount": 1951,
  "RequestHost": "",
  "RequestMethod": "POST",
  "RequestPath": "/api/v2/login",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "RouterName": "organizr@docker",
  "ServiceAddr": "172.20.1.7:80",
  "ServiceName": "organizr@docker",
  "ServiceURL": {
    "Scheme": "http",
    "Opaque": "",
    "User": null,
    "Host": "",
    "Path": "",
    "RawPath": "",
    "OmitHost": false,
    "ForceQuery": false,
    "RawQuery": "",
    "Fragment": "",
    "RawFragment": ""
  },
  "StartLocal": "2023-06-27T10:21:56.861473224+02:00",
  "StartUTC": "2023-06-27T08:21:56.861473224Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "downstream_Content-Type": "application/json;charset=UTF-8",
  "downstream_Date": "Tue, 27 Jun 2023 08:21:56 GMT",
  "downstream_Server": "nginx",
  "entryPointName": "websecure",
  "level": "info",
  "msg": "",
  "origin_Content-Type": "application/json;charset=UTF-8",
  "origin_Date": "Tue, 27 Jun 2023 08:21:56 GMT",
  "origin_Server": "nginx",
  "request_Accept": "*/*",
  "request_Accept-Encoding": "gzip, deflate, br",
  "request_Accept-Language": "de,en-US;q=0.7,en;q=0.3",
  "request_Content-Length": "0",
  "request_Cookie": "",
  "request_Formkey": "",
  "request_Origin": "",
  "request_Referer": "",
  "request_Sec-Fetch-Dest": "empty",
  "request_Sec-Fetch-Mode": "cors",
  "request_Sec-Fetch-Site": "same-origin",
  "request_Te": "trailers",
  "request_Token": "null",
  "request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0",
  "request_X-Forwarded-Host": "",
  "request_X-Forwarded-Port": "443",
  "request_X-Forwarded-Proto": "https",
  "request_X-Forwarded-Server": "b63dabc28625",
  "request_X-Real-Ip": "",
  "request_X-Requested-With": "XMLHttpRequest",
  "time": "2023-06-27T10:21:56+02:00"
}

Browser Network traffic shows a 401 on a POST Request to the login api, the Request header does not have "X-Forwarded-User".

So my best guess is somewhere between loading the initial page and sending that post request the forwarded header gets lost.

Help is gladly appreciated, because i really cant wrap my head around this. Thank you