Setup with Traefik / Issue with Proxy-Authorization header for services on another host #6542
-
I'm unsure on how to properly configure Authelia and Traefik. I (hopefully) set everything up like the docs/guides describe it, but I'm unsure about the effect of some configuration entries: I configured the Traefik middleware as: traefik.http.middlewares.authelia.forwardauth.address: "http://authelia:9091/api/verify?rd=https%3A%2F%2Fautheliatest.${DOMAIN}%2F"
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"
The configuration of
and
correct? I setup a playground to help myself understand how everything is working: https://github.com/voruti/AutheliaTraefikSetup/tree/f118926f3d89adaf7339a5e1f20e6949f86086e8. Is # middleware for Authelia on host1:
traefik.http.middlewares.authelia.forwardauth.address: "https://autheliatest.${DOMAIN:?error}/api/verify?rd=https%3A%2F%2Fautheliatest.${DOMAIN:?error}%2F"
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email" the correct configuration for the Traefik middleware on host 2? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 7 replies
-
Tested the same behaviour on v4.38.0-beta3: https://github.com/voruti/AutheliaTraefikSetup/tree/a4d3229d0fa8edb8fee401e49a169a67dd85c7be (diff). |
Beta Was this translation helpful? Give feedback.
-
I have had not time to dig through this but will take a look ASAP. |
Beta Was this translation helpful? Give feedback.
-
Correct on both counts.
This one is actually a bit confusing on Traefiks end unfortunately, basically you can trust forwarded headers in the entrypoint with the trusted IPs option you mentioned and at the middleware option you mentioned, if you don't do both then the forwarded headers in the request are stripped. If you're not using another proxy (like coudflare proxy) then they can generally be removed.The most likely symptom if you need to revisit this is if any is the logged remote IP is wrong.
I believe traefik strips this header automatically on each hop and they consider a single hop taking place during forward auth, I'll have to double check this particular point. However in the beta if you use the forward auth specific endpoint and configure it to use the server:
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
authn_strategies:
- name: 'HeaderAuthorization'
- name: 'CookieSession' |
Beta Was this translation helpful? Give feedback.
-
With the v4.38.0-beta3 it's possible to choose between the |
Beta Was this translation helpful? Give feedback.
Correct on both counts.
This one is actually a bit confusing on Traefiks end unfortunately, basically you can trust forwarded headers in the entrypoint with the trusted IPs option you mentioned and …