Traefik with instant 401 error when using middleware with error pages

Traefik Traefik v3 (latest)
,
1

Maybe someone know solution to use this repo https://github.com/tarampampam/error-pages with traefik in 100% work. Because it works in my setup for 403, 404, but if i have in my middlewares setup basicAuth then i can't get popup window for login but immediately jumps to error page 401 from this repo.
This is my basic setup and if i push at the end error-pages-middleware then popup window will show to login, but of course our goal is after bad auth we get nice looking erorr pages than default from traefik.

Is there some solution to wait for popup window or it's impossible?

services:
  error-pages:
    image: ghcr.io/tarampampam/error-pages:3.7
    container_name: catch-all-error-pages
    environment:
      - TEMPLATE_NAME=ghost #templates
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.error-pages-router.rule=HostRegexp(`.+`)
      - traefik.http.routers.error-pages-router.priority=1
      - traefik.http.routers.error-pages-router.middlewares=error-pages-middleware
  
      - traefik.http.middlewares.error-pages-middleware.errors.status=400-599
      - traefik.http.middlewares.error-pages-middleware.errors.query=/{status}.html
      - traefik.http.middlewares.error-pages-middleware.errors.service=error-pages-service

      - traefik.http.services.error-pages-service.loadbalancer.server.port=8080

networks:
  proxy:
    external: true

Traefik:

 services:
  traefik:
    image: traefik:v3.5
    container_name: traefik
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
      - "7080:8080"
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ubuntu/projects/traefik/traefik.yaml:/traefik.yaml:ro
      - /home/data/certs:/var/traefik/certs:rw
      - /home/ubuntu/projects/traefik/dynamic_conf.yml:/dynamic_conf.yml:ro
    restart: unless-stopped
    labels:
      - traefik.enable=true 
      - traefik.http.routers.traefik-https.middlewares=error-pages-middleware,admin-ipwhitelist@file,admin-auth@file
  
      - traefik.http.routers.traefik-https.rule=Host(`traefik-dashboard.randomdomain.com`)

      - traefik.http.routers.traefik-https.service=api@internal

networks:
    proxy:
      external: true
2

Why not simply remove error status 401 from config, you can specify the used ones (doc)

# Dynamic Custom Error Page for 5XX Status Code
labels:
  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
  - "traefik.http.middlewares.test-errors.errors.service=error-handler-service"
  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
3

Yep i know i can skip 401 for error pages, but i use error pages to have nice looking error pages not standart from traefik. And that why i asked this question if there is some option to wait for auth window and then get 401 if failed.

4

No, I don't think that is possible.

When a page is requested and needs auth, the server will always return 401.

From Wikipedia:

401 Unauthorized
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 401 semantically means "unauthenticated", the user does not have valid authentication credentials for the target resource.

5

And with traefik we can somehow modify 401 page so maybe not use other middlewares like error-pages but somehow default setup page for 401 which traefik will display? Or we don’t have access to it?

6

I don’t understand what you are trying to achieve. 401 means that the browser should open a user/pass dialog, but the page is usually not displayed, browser stays on last page.

If you want a different page for 401, you can create a custom 401.html. That could include a http-equiv redirect html header and JS redirect, if you want to sent the user to a different page.

7

I mean if i cancel my popup window without error pages container (for fancy errors.html) then i got simply unauthorized text and that’s all. So that’s why i ask how to get other solution to this if we get 401 → go to this error page (because for other erros, this github repo work perfectly fine). Or maybe even redirect to this error container that we wanna 401.html But idk if i need config traefik modify for it or next container to handle it?

8

I just discovered the same thing. The scenario is similar. I don't think there's any way to fix this right now, other than disabling 401 response modification. Traefik needs to work on this.

9

I think you need to work on your understanding how HTTP protocol works :wink:

Also note that it’s an external plugin, providing the functionality.

10

I think you don’t know how this error repo works with traefik too :smiley: so yes the easiest solution is to exclude 401 and create own custom 401 for traeifik as simply html page.