Unable to connect to service using application digest auth

I am having trouble connecting to a service that uses digest auth (not the Traefik digest auth middleware).

I am running a database that exposes a REST API on a particular port. I was able to get Traefik and the database running in docker swarm. However, I am running into difficulty using both a PathPrefix rule and digest auth.

Here's the situation:

  • If I set the router rule to PathPrefix(`/`) and don't use the StripPrefix middleware, I can use either digest auth or basic auth; of course, I don't want to use that path.
  • If I set the rule to be PathPrefix(`/some/path`) and don't strip the prefix, I can use digest auth but the response is a 404 (the path points to some endpoint that doesn't exist).
  • If I set the rule to be PathPrefix(`/some/path`) and strip the prefix, only basic auth works.

Here is some curl output (some info redacted):

curl -v -u admin:password --digest localhost/some/path/additional/path/required/by/api

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user 'admin'
> GET /some/path/additional/path/required/by/api HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Content-Length: 104
< Content-Type: application/json; charset=utf-8
< Server: Database
< Www-Authenticate: Digest realm="public", qop="auth", nonce="384...g==", opaque="bef...c7b"
< Date: Wed, 18 Mar 2020 00:24:31 GMT
< 
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/some/path/additional/path/required/by/api'
* Found bundle for host localhost: 0x7f8e68d1c0b0 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 80 (#0)
* Server auth using Digest with user 'admin'
> GET /some/path/additional/path/required/by/api HTTP/1.1
> Host: localhost
> Authorization: Digest username="admin", realm="public", nonce="384...g==", uri="/some/path/additional/path/required/by/api", cnonce="MGZ...zc=", nc=00000001, qop=auth, response="3c4...8a7", opaque="bef...c7b"
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Content-Length: 104
< Content-Type: application/json; charset=utf-8
< Server: Database
* Authentication problem. Ignoring this.
< Www-Authenticate: Digest realm="public", qop="auth", nonce="384...g==", opaque="c43...da7"
< Date: Wed, 18 Mar 2020 00:24:31 GMT
< 
{"errorResponse":   {"statusCode":401,
   "status":"Unauthorized",
   "message":"401 Unauthorized"
  }
* Connection #0 to host localhost left intact
}%

I suspect that the value of uri in the Authorization header passed back by the REST API has something to do with it? Since it has the /some/path prefix in it, even though it should have been stripped out by the middleware? Not really sure.

Here are the labels in the deploy section of the service:

- traefik.enable=true
- traefik.docker.network=stackname_proxy
- traefik.http.routers.database.entrypoints=web
- traefik.http.routers.database.rule=PathPrefix(`/some/path`)
- traefik.http.routers.database.middlewares=database
- traefik.http.middlewares.database.stripprefix.prefixes=/some/path
- traefik.http.services.database.loadbalancer.server.port=1234

I would really like to use digest auth if at all possible. There's an application that connects to the database that uses digest auth, and it would be very difficult to change.

Does anyone have any knowledge/insight for me? Thanks!