-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Header Proxy-Authenticate can be conditionally forwarded. #7374
Comments
I'm bumping into the same problem when using Traefik forwardAuth with Authelia. That header is stripped by calling
Since the forward Auth is not considered a next hop but is actually part of the auth process of the current hop, the Proxy-Authorization header should not be removed. traefik/pkg/middlewares/auth/forward.go Line 163 in 7928e6d
|
@nkonev I saw your commit for Could you do the removal of HopHeaders in filterForwardRequestHeaders so it allows to keep func filterForwardRequestHeaders(forwardRequestHeaders http.Header, allowedHeaders []string) http.Header {
if len(allowedHeaders) == 0 {
return utils.RemoveHeaders(forwardRequestHeaders, forward.HopHeaders...)
} A better approach would also be to not consider func keepProxyAuthHeader(hopHeaders []string) []string {
var headers []string
for _, h := range hopHeaders {
if h != forward.ProxyAuthorization {
headers = append(headers, h)
}
}
return headers
} func writeHeader(req, forwardReq *http.Request, trustForwardHeader bool, allowedHeaders []string) {
utils.CopyHeaders(forwardReq.Header, req.Header)
// utils.RemoveHeaders(forwardReq.Header, forward.HopHeaders...)
forwardReq.Header = filterForwardRequestHeaders(forwardReq.Header, allowedHeaders) func filterForwardRequestHeaders(forwardRequestHeaders http.Header, allowedHeaders []string) http.Header {
if len(allowedHeaders) == 0 {
return utils.RemoveHeaders(forwardReq.Header, keepProxyAuthHeader(forward.HopHeaders)...)
} |
Closed by #7433. |
Do you want to request a feature or report a bug?
Feature
What did you expect to see?
When using the forwardAuth middleware and a request using the
Proxy-Authenticate
header, I expect the header to be forwarded to the authentication server.Justification
Let me start by saying I am aware that Proxy-Authenticate is a hop by hop header and should normally be stripped according to RFC 2616. However, RFC 7235 extends on authentication headers. In section 4.4 it states:
Since the forward auth middleware is delegating authentication for the proxy, the
Proxy-Authenticate
header can be sent along freeing up theAuthorization
header for applications behind the proxy that also want authentication. This would be Traefik's way of consuming the header. By optionally allowing the header to be passed, it would also allow for proxy chaining with proxy authentication and would also not not hog the applicationAuthorization
header.The text was updated successfully, but these errors were encountered: