I have a websocket server behind traefik with forward-auth (mesosphere/traefik-forward-auth).
the websocket server is a an embedded tomcat which serves a custom implementation of a guacamole websocket connection ( guacamole
It does basically work
When I initiate a websocket connection from my client (a website also behind forward-auth), I can initiate the handshake if I'm already logged in otherwise I get a 302 which I currently can't handle.
But that's another problem. I just mentioned it in case it might be connected to my issue.
The real problem occurs when I do the following
- succesfully establish a websocket connection
- send messages
- logout the user (in another window, so the page where I opened the websocket connection doesn't get redirect)
the websocket continues to happily send (and receive!) messages.
It seems that while the initial http request for the handshake does succesfully get routed to forward-auth but the actual websocket messages are not.
They are sent through traefik itself because if I remove traefik from my k8s cluster, the messages fail.
is that expected behavior or am I missing something?
My config looks like this
Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: forward-auth
namespace: dev
labels:
ingressclass: traefik-dev
spec:
forwardAuth:
address: http://traefik-forward-auth:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-JWT
- X-Forwarded-User
- X-Auth-User
Ingress
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: websocket-ingress
namespace: dev
labels:
ingressclass: traefik-dev
spec:
entryPoints:
- customEntryPoint
routes:
- match: PathPrefix(`/websocket`)
kind: Rule
middlewares:
- name: forward-auth
services:
- name: websocket-service
port: 8080
customEntryPoint
customEntryPoint:
port: 8080
nodePort: 31808
expose: true
forwardedHeaders:
insecure: true