Websocket messages are not routed through forward-auth

I have a websocket server behind traefik with forward-auth (mesosphere/traefik-forward-auth).
the websocket server is a an embedded tomcat which serves a custom implementation of a guacamole websocket connection ( guacamole
It does basically work

When I initiate a websocket connection from my client (a website also behind forward-auth), I can initiate the handshake if I'm already logged in otherwise I get a 302 which I currently can't handle.
But that's another problem. I just mentioned it in case it might be connected to my issue.

The real problem occurs when I do the following

  • succesfully establish a websocket connection
  • send messages
  • logout the user (in another window, so the page where I opened the websocket connection doesn't get redirect)

the websocket continues to happily send (and receive!) messages.
It seems that while the initial http request for the handshake does succesfully get routed to forward-auth but the actual websocket messages are not.
They are sent through traefik itself because if I remove traefik from my k8s cluster, the messages fail.

is that expected behavior or am I missing something?

My config looks like this

Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
   name: forward-auth
   namespace: dev
   labels:
      ingressclass: traefik-dev
spec:
   forwardAuth:
      address: http://traefik-forward-auth:4181
      trustForwardHeader: true
      authResponseHeaders:
         - X-Forwarded-JWT
         - X-Forwarded-User
         - X-Auth-User

Ingress

apiVersion: traefik.containo.us/v1alpha1
metadata:
   name: websocket-ingress
   namespace: dev
   labels:
      ingressclass: traefik-dev
spec:
   entryPoints:
      - customEntryPoint
   routes:
      - match: PathPrefix(`/websocket`)
        kind: Rule
        middlewares:
           - name: forward-auth
        services:
           - name: websocket-service
             port: 8080

customEntryPoint

customEntryPoint:
   port: 8080
   nodePort: 31808
   expose: true
   forwardedHeaders:
      insecure: true

IMHO that is expected. ForwardAuth runs before the request, but the WebSocket is a continuous open request, so it will not go through ForwardAuth on every message within the WebSocket connection.

Thanks, I wasn't able to find anything on the internet.

Do you maybe have a link/source?

The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed.

Source: Traefik Doc

WebSocket is a computer communications protocol, providing simultaneous two-way communication channels over a single Transmission Control Protocol (TCP) connection.

To achieve compatibility, the WebSocket handshake uses the HTTP Upgrade header[3] to change from the HTTP protocol to the WebSocket protocol.

In this way, a two-way ongoing conversation can take place between the client and the server.

Source: Wikipedia