Forward Authentication : Websocket compatibility

[pixeye33]

Do you want to request a feature or report a bug?

a feature

What did you do?

I use traefik in front of Home assistant which utilizes websocket.

I'm using Forward Authentication with success with all my apps who do not use websockets
(well, i'm waiting for this PR to be in the actual release : #2398 to really be able to use it)

What did you expect to see?

verify script returns 200 OK code (instantly and all the time for debuging purposes), websocket traffic is passing trough just like when Forward Authentication is not activated.

What did you see instead?

verify script returns 200 OK code (instantly and all the time for debuging purposes), websocket traffic is not passing trough (timeout as seen from end user side)

Output of traefik version: (What version of Traefik are you using?)

docker run traefik version
Version:      v1.5.4
Codename:     cancoillotte
Go version:   go1.9.464; rv:59.0) Gecko/20100101 Firefox/59.0" 14 - - 120001msndo
Built:        2018-03-15_01:35:21PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.auth.forward]
    address = "http://nodered:1880/auth"
  [entryPoints.https.tls]

If applicable, please paste the log output in debug mode (--debug switch)

time="2018-03-17T13:27:29Z" level=debug msg="Error calling http://nodered:1880/auth. Cause: Get http://nodered:1880/auth: EOF"
ip.ad.dr.ess - - [17/Mar/2018:13:25:29 +0000] "GET /api/websocket?latest HTTP/1.1" - - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" 14 - - 120001ms

[alexandre-leites]

@pixeye33

Have you solved your issue? I'm trying to use this together with thomseddon/traefik-forward-auth and I'm having the same issue, the websocket connection cannot be verified as it output the following error:

http2: invalid Upgrade request header: ["websocket"]"

I believe connection to forward server should be http/https and websocket headers must be cleaned up.

[pixeye33]

@xalexslx not solved the issue since this not seem to be prioritized...
traefik only does HTTPS proxy, Auth is on the webserver behind using nginx auth_request.

FYI : looking to switch to kong at this moment :)

[cmconner156]

I'm also running into this issue. The web socket proxy not working is causing my local trusted network login to not work, I'm forced to authenticate on my tablets that should be trusted.

2018-08-28 21:00:35 INFO (MainThread) [homeassistant.components.http.view] Serving / to 1.0.0.10 (auth: True)
2018-08-28 21:00:35 INFO (MainThread) [homeassistant.components.http.view] Serving /api/websocket to 2.0.0.18 (auth: False)

The web socket call is my home assistant browser. I would expect X-Forwarded-For to be on the web socket request as well making them both show as coming from 1.0.0.10 and then work, but sadly no.

Have you switched to Kong? Any sites with the steps you followed? How did it work?

[mmatur]

@cmconner156 Have you try with the latest Traefik version?

[regbo]

This is definitely a problem with Traefik 1.7-rc3. It breaks websocket functionality on Vaadin applications.

[regbo]

Hi, it looks like multiple bounties (including mine) have been placed on this issue. If an issue's priority is lowered, upgraded, or changed because of the bounty, will we be notified? Never used bountysource before

[ldez]

Closed by #3900

[stffabi]

PR #3900 alone does not fix this issue, please see the comment in #3907.

[traefiker]

Closed by #3907.

[regbo]

This works perfectly with Vaadin now. Nice work.