Setup with Traefik / Issue with Proxy-Authorization header for services on another host

[voruti]

I'm unsure on how to properly configure Authelia and Traefik. I (hopefully) set everything up like the docs/guides describe it, but I'm unsure about the effect of some configuration entries:

I configured the Traefik middleware as:

      traefik.http.middlewares.authelia.forwardauth.address: "http://authelia:9091/api/verify?rd=https%3A%2F%2Fautheliatest.${DOMAIN}%2F"
      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"

• The authResponseHeaders option is only relevant for the service behind the protected URL, am I correct? Since I don't know a service that reads these headers, I can just comment out this option, correct?
• When commenting out the trustForwardHeader option, I don't see any change at all. I read the https://www.authelia.com/integration/proxies/fowarded-headers/ docs, but still don't fully understand it. What would be an example where I can see the difference of the presence of this option?

The configuration of traefik.entryPoints.<name>.forwardedHeaders.trustedIPs (and ...proxyProtocol...) can be left empty, when only using a single Traefik instance, a single Authelia instance and running everything on a single host, correct? Else, when using multiple instances and/or hosts, I can input the other hosts into this option, correct?
The right setup for the example below ⤵, would be

1. the IP of host 2 as trustedIPs on host 1

and

2. empty trustedIPs on host 2

correct?

---

I setup a playground to help myself understand how everything is working: https://github.com/voruti/AutheliaTraefikSetup/tree/f118926f3d89adaf7339a5e1f20e6949f86086e8.
There is probably something wrong with this configuration, because I can't get requests by Proxy-Authorization header on different hosts working, like described in https://github.com/voruti/AutheliaTraefikSetup/blob/f118926f3d89adaf7339a5e1f20e6949f86086e8/README.md#results-of-testing. How to properly configure this, or is this a bug?

Is

      # middleware for Authelia on host1:
      traefik.http.middlewares.authelia.forwardauth.address: "https://autheliatest.${DOMAIN:?error}/api/verify?rd=https%3A%2F%2Fautheliatest.${DOMAIN:?error}%2F"
      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"

the correct configuration for the Traefik middleware on host 2?

[voruti]

Tested the same behaviour on v4.38.0-beta3: https://github.com/voruti/AutheliaTraefikSetup/tree/a4d3229d0fa8edb8fee401e49a169a67dd85c7be (diff).

[james-d-elliott]

I have had not time to dig through this but will take a look ASAP.

[james-d-elliott]

• The authResponseHeaders option is only relevant for the service behind the protected URL, am I correct? Since I don't know a service that reads these headers, I can just comment out this option, correct?

Correct on both counts.

• When commenting out the trustForwardHeader option, I don't see any change at all. I read the https://www.authelia.com/integration/proxies/fowarded-headers/ docs, but still don't fully understand it. What would be an example where I can see the difference of the presence of this option?

This one is actually a bit confusing on Traefiks end unfortunately, basically you can trust forwarded headers in the entrypoint with the trusted IPs option you mentioned and at the middleware option you mentioned, if you don't do both then the forwarded headers in the request are stripped. If you're not using another proxy (like coudflare proxy) then they can generally be removed.The most likely symptom if you need to revisit this is if any is the logged remote IP is wrong.

There is probably something wrong with this configuration, because I can't get requests by Proxy-Authorization header on different hosts working

I believe traefik strips this header automatically on each hop and they consider a single hop taking place during forward auth, I'll have to double check this particular point. However in the beta if you use the forward auth specific endpoint and configure it to use the Authorization header it should work. You'd have to configure the endpoint similar to the below subject to change configuration snippet (making the endpoint /api/authz/forward-auth instead of /api/verify):

server:
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
        authn_strategies:
          - name: 'HeaderAuthorization'
          - name: 'CookieSession'

[james-d-elliott]

Proxy-Authorization is what they call a single hop header, it should be removed after Traefik has handled it. i.e. before it reaches the backend, this is a standard, and it's so headers with credentials don't get passed to every service. At least in my opinion. The reason we used it was this.

However they remove it as soon as they see it, before it is used for forward auth. Which I can understand their reasoning, but they should give an option to users to configure this behavior. I would consider forward auth a relevant destination for such a header especially if traefik doesn't use it for auth.

[voruti]

I don't think they remove it (anymore): traefik/traefik#7433.

The problem for me is that Authelia is the backend, because I'm calling it from another host: https://github.com/voruti/AutheliaTraefikSetup/blob/4a5d8252f41300b1aaa363905c5792deeea84546/host2/docker-compose.yml#L49.

[voruti]

I can't seem to find where in the Traefik source code they remove the Proxy-Authorization header...

[voruti]

I think it's here: https://github.com/golang/go/blob/f19f31f2e7c136a8dae03cbfe4f8ebbb8b54569b/src/net/http/httputil/reverseproxy.go#L294.

[voruti]

I think this is one of the "problems": golang/go#50580. Traefik is still using the Director function, after which all hop-by-hop headers are removed. It might be possible to switch Traefik to the Rewrite function and then implement a custom middleware (for Traefik) that ensures the Proxy-Authorization header is kept?

[voruti]

With the v4.38.0-beta3 it's possible to choose between the Proxy-Authorization and the Authorization header. What about a custom option? I.e. any configurable custom string someone wants to use?

[voruti]

For now I just put a nginx in front of Authelia to rename the header (using Authelia 4.37.5 stable, not v4.38.0-beta3):

server {
    listen       80;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass   http://authelia:9091;
        proxy_set_header Proxy-Authorization $http_Authelia_Authorization;
    }
}