Hi. I understand that ForwardAuth takes a request and then curries it to a service first, and then if that service returns 200 it will forward the request to the target service, passing forward headers (or not). I am trying to figure out trustForwardHeader
and when it would be used.
After quite a lot of digging and manual testing I think I finally found what it does.
When trustForwardHeader
is set to false, Traefik doesn't trust the X-Forwarded-*
headers when proxying the request to the authentication service.
For example if you were to make a request to a service using ForwardAuth with trustForwardHeader: false
:
$ curl --header "X-Forwarded-For: 1.2.3.4" service.example.com
The configured auth service will only receive the "X-Forwarded-*" headers provided by Traefik.
If you set trustForwardHeader
to true, then Traefik will prepend the provided address to the "X-Forwarded-For" header before making the request to the auth service. So it will result in: X-Forwarded-For: 1.2.3.4, a.b.c.d
where a.b.c.d is IP address(es) provided by Traefik.
An example in the docs would have been really helpful because it is really not obvious what this property does.