I am having trouble connecting to a service that uses digest auth (not the Traefik digest auth middleware).
I am running a database that exposes a REST API on a particular port. I was able to get Traefik and the database running in docker swarm. However, I am running into difficulty using both a PathPrefix rule and digest auth.
Here's the situation:
- If I set the router rule to
PathPrefix(`/`)
and don't use theStripPrefix
middleware, I can use either digest auth or basic auth; of course, I don't want to use that path. - If I set the rule to be
PathPrefix(`/some/path`)
and don't strip the prefix, I can use digest auth but the response is a 404 (the path points to some endpoint that doesn't exist). - If I set the rule to be
PathPrefix(`/some/path`)
and strip the prefix, only basic auth works.
Here is some curl
output (some info redacted):
curl -v -u admin:password --digest localhost/some/path/additional/path/required/by/api
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user 'admin'
> GET /some/path/additional/path/required/by/api HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 104
< Content-Type: application/json; charset=utf-8
< Server: Database
< Www-Authenticate: Digest realm="public", qop="auth", nonce="384...g==", opaque="bef...c7b"
< Date: Wed, 18 Mar 2020 00:24:31 GMT
<
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/some/path/additional/path/required/by/api'
* Found bundle for host localhost: 0x7f8e68d1c0b0 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user 'admin'
> GET /some/path/additional/path/required/by/api HTTP/1.1
> Host: localhost
> Authorization: Digest username="admin", realm="public", nonce="384...g==", uri="/some/path/additional/path/required/by/api", cnonce="MGZ...zc=", nc=00000001, qop=auth, response="3c4...8a7", opaque="bef...c7b"
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 104
< Content-Type: application/json; charset=utf-8
< Server: Database
* Authentication problem. Ignoring this.
< Www-Authenticate: Digest realm="public", qop="auth", nonce="384...g==", opaque="c43...da7"
< Date: Wed, 18 Mar 2020 00:24:31 GMT
<
{"errorResponse": {"statusCode":401,
"status":"Unauthorized",
"message":"401 Unauthorized"
}
* Connection #0 to host localhost left intact
}%
I suspect that the value of uri
in the Authorization
header passed back by the REST API has something to do with it? Since it has the /some/path
prefix in it, even though it should have been stripped out by the middleware? Not really sure.
Here are the labels in the deploy
section of the service:
- traefik.enable=true
- traefik.docker.network=stackname_proxy
- traefik.http.routers.database.entrypoints=web
- traefik.http.routers.database.rule=PathPrefix(`/some/path`)
- traefik.http.routers.database.middlewares=database
- traefik.http.middlewares.database.stripprefix.prefixes=/some/path
- traefik.http.services.database.loadbalancer.server.port=1234
I would really like to use digest auth if at all possible. There's an application that connects to the database that uses digest auth, and it would be very difficult to change.
Does anyone have any knowledge/insight for me? Thanks!