Traefik v2.x force forwardauth for all

Traefik Traefik v2
1

Hi
I used to work with traefik 1.x and succeded to route every request to my authenticator service by adding a setting to the configmap (see bellow my cm of v1.0)
Now , I am on traefik 2.x and I want to force the traefik controller to route every request to my authenticator service but didn't found a way.
I tried to add a middleware where the traefik is running but without a succeed

Can anyone elaborate - on what I need to config in my traefik v2.0 so the forwardauth will work for my running services?

Thx


apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
        [entryPoints.http.auth.forward]
        address = "http://my-url-to-the-service"
        trustForwardHeader = true
        [entryPoints.http.redirect]
          regex = "^http://(.*)"
          replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.auth.forward]
        address = "http://my-url-to-the-service"
        trustForwardHeader = true
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
      [entryPoints.prometheus]
      address = ":9100"
    [ping]
    entryPoint = "http"
    [kubernetes]
      [kubernetes.ingressEndpoint]
      publishedService = "kube-system/traefik"
    [traefikLog]
      format = "json"
    [metrics]
      [metrics.prometheus]
        entryPoint = "prometheus"

kind: ConfigMap
metadata:
   labels:
    app: traefik
    app.kubernetes.io/managed-by: Helm
    chart: traefik-1.81.0
    heritage: Helm
    release: traefik
  managedFields:
  - apiVersion: v
  name: traefik
  namespace: kube-system
  resourceVersion: "1910"
  selfLink: /api/v1/namespaces/kube-system/configmaps/traefik
2

Hello @demigo,

Thanks for your interest in Traefik,

To route every request to an authentication service (with the forward auth middleware) you can leverage EntryPoints middlewares as explained in the documentation. Those middlewares will be prepended to the list of middlewares of each router attached to the EntryPoint.

This means that even if a router does not configure the forward auth middleware it will be applied by default.

Hope this helps!

3

Hi
Thx for your answer, I succeeded in sending my request to the auth service by creating a forwardauth middleware and add an annotation to my ingress or use it in ingressroutes.

I guess there is a better way as you explained regarding entrypoints so I will not need to edit every ingress but I don't understand where in my traefik (Kubernetes) do I need to to set it ?

Can you point me to the correct resource ? to just give an example ?

Thx

4

Hello @demigo,

Sorry for the late answer,

I guess there is a better way as you explained regarding entrypoints so I will not need to edit every ingress but I don't understand where in my traefik (Kubernetes) do I need to to set it ?

The middleware configuration needs to be done in the static configuration as explained in the following documentation.

In Kubernetes, this can be done in the deployment arguments or in the configmap containing the static configuration. If you are using the Traefik Helm chart this should be done through the additionalArguments config option.

Hope this helps!