What does trustForwardHeader do for ForwardAuth and when would we use it?

Hi. I understand that ForwardAuth takes a request and then curries it to a service first, and then if that service returns 200 it will forward the request to the target service, passing forward headers (or not). I am trying to figure out trustForwardHeader and when it would be used.

After quite a lot of digging and manual testing I think I finally found what it does.

When trustForwardHeader is set to false, Traefik doesn't trust the X-Forwarded-* headers when proxying the request to the authentication service.

For example if you were to make a request to a service using ForwardAuth with trustForwardHeader: false:

$ curl --header "X-Forwarded-For: 1.2.3.4" service.example.com

The configured auth service will only receive the "X-Forwarded-*" headers provided by Traefik.

If you set trustForwardHeader to true, then Traefik will prepend the provided address to the "X-Forwarded-For" header before making the request to the auth service. So it will result in: X-Forwarded-For: 1.2.3.4, a.b.c.d where a.b.c.d is IP address(es) provided by Traefik.

An example in the docs would have been really helpful because it is really not obvious what this property does.

1 Like