traefik: Traefik 2.0 not working with traefik-forward-auth, but works with 1.7

https://github.com/thomseddon/traefik-forward-auth/issues/45

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

What did you do?

Attempting to set up ForwardAuth with Traefik 2.0 and this forward auth handler service written by @thomseddon.

What did you expect to see?

ForwardAuth to succeed

What did you see instead?

Once authenticated via Google, I get a final redirect to a URL for the traefik-forward-auth service but ultimately results in a 404. See logs at bottom.

So the flow with the shown config below would be.

Go to synology.sub.domain.com
Not authenticated in this browser so sent to google
Get authenticated successfully, 307 redirect happens
Ultimately 404 on a URL at auth.sub.domain.com with a long query string.

Output of `traefik version`: (What version of Traefik are you using?)

This doesn’t work with the alpha AFAICT but I’m on the image created:

2019-04-18 00:00:21

Which I believe is alpha4.

What is your environment & configuration (arguments, toml, provider, platform, …)?

[global]
  Debug = true
  SendAnonymousUsage = false

[api]

[providers]
  [providers.file]
    watch=true
    
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    domain = "sub.domain.com"
    watch = true
    exposedByDefault = false

[entryPoints]
  [entrypoints.http]
    address = ":80"

  [entrypoints.https]
    address = ":443"

[http.routers]
  [http.routers.synology]
      entryPoints = ["https", "http"]
      middlewares = [ "compress", "redirect", "forward-auth" ]
      rule = "Host(`synology.sub.domain.com`)"
      service = "synology"
    
  [http.middlewares]
    [http.middlewares.compress.compress]

    [http.middlewares.redirect.redirectScheme]
      scheme = "https"

    [http.middlewares.forward-auth.forwardAuth]
      address = "https://traefik-forward-auth:4181"
      authResponseHeaders = ["X-Forwarded-User"]
      
  [http.services]
  
    [http.services.synology]
      [http.services.synology.LoadBalancer]
          [[http.services.synology.LoadBalancer.servers]]
            url = "http://192.168.1.2:5000"
            scheme = "http"
            weight= 1

[acme]
  acmeLogging = true
  email = "me@email.com"
  storage = "/acme.json"
  onHostRule = true
  entryPoint = "https"
  [acme.dnsChallenge]
    provider = "provider"

  [[acme.domains]]
    main = "sub.domain.com"
  [[acme.domains]]
    main = "*.sub.domain.com"

docker-compose.yml

version: "3"
services:
  traefik:
    container_name: traefik
    image: traefik:v2.0
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /nfs/docker/traefik/traefik.toml:/traefik.toml
      # - /var/docker/traefik.toml/:/traefik.toml
      - /nfs/docker/traefik/acme.json:/acme.json
      - /nfs/docker/traefik/access.log:/access.log
      # - /nfs/docker/traefik/traefik.log:/traefik.log
    restart: always
    env_file: ./traefik.env
    labels:
      - "traefik.enable=false"
    dns:
      - 127.0.0.1
      - 1.1.1.1
      - 1.0.0.1
  traefik-forward-auth:
    container_name: traefik-forward-auth
    image: thomseddon/traefik-forward-auth
    environment:
      - CLIENT_ID=client_id
      - CLIENT_SECRET=client_secret
      - SECRET=secret

      - AUTH_HOST=auth.sub.domain.com
      - COOKIE_DOMAIN=sub.domain.com
      - INSECURE_COOKIE=true
      - WHITELIST=me@email.com
      - LOG_LEVEL=debug

    labels:
      - traefik.enable=true
      - "traefik.http.middlewares.compress=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
    dns:
      - 127.0.0.1
      - 1.1.1.1
      - 1.0.0.1

If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)

traefik-forward-auth    | time="2019-06-11T12:12:31Z" level=debug msg="Starting with options: {\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"auth.sub.domain.com\",\"CookieDomains\":[{\"Domain\":\"sub.domain.com\",\"DomainLen\":20,\"SubDomain\":\".sub.domain.com\",\"SubDomainLen\":21}],\"InsecureCookie\":true,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"Domains\":null,\"LifetimeString\":43200,\"Path\":\"/_oauth\",\"Whitelist\":[\"me@email.com\",\"other@email.com\"],\"Providers\":{\"Google\":{\"ClientId\":\"<omitted_ID>.apps.googleusercontent.com\",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}}},\"Rules\":{},\"Lifetime\":43200000000000,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"DomainsLegacy\":null,\"ClientIdLegacy\":\"<omitted_ID>.apps.googleusercontent.com\",\"PromptLegacy\":\"\"}"
traefik-forward-auth    | time="2019-06-11T12:12:31Z" level=info msg="Listening on :4181"
traefik-forward-auth    | time="2019-06-11T12:12:51Z" level=debug msg="Authenticating request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.5] Cookie:[_forward_auth_csrf=c814ce3749ab60d0d4f66d95ae9cdf27] Dnt:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0] X-Forwarded-For:[192.168.1.1] X-Forwarded-Host:[synology.sub.domain.com] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[8bd8f24fbe93] X-Forwarded-Uri:[/] X-Real-Ip:[192.168.1.1]]" rule=default source_ip=192.168.1.1
traefik                 | 192.168.1.1 - - [11/Jun/2019:12:12:45 +0000] "GET /_oauth?state=c814ce3749ab60d0d4f66d95ae9cdf27:https://synology.sub.domain.com/&code=4/ZgF_eoY4qYEckmNyZN9uzV-XRtZM5omfbsUVZLB8cW5S3CD_hEVW6-CkwQJmj-QScYCJqC9Rl2Vj9NQsJCT9w8g&scope=email+profile+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile HTTP/2.0" 404 19 "-" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0" 1 - - 0ms
traefik                 | time="2019-06-11T12:12:51Z" level=debug msg="Remote error http://traefik-forward-auth:4181. StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=file.forward-auth
traefik-forward-auth    | time="2019-06-11T12:12:51Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.1.1
traefik                 | 192.168.1.1 - - [11/Jun/2019:12:12:51 +0000] "GET / HTTP/2.0" 307 467 "-" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0" 2 "file.synology" - 2ms
traefik                 | 2019/06/11 12:12:51 server.go:3012: http: TLS handshake error from 192.168.1.1:49956: EOF

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 21 (18 by maintainers)

Most upvoted comments

@dduportal the thing that’s absolutely required is that the traefik-forward-auth service needs to have the middle applied to itself as well. This is missing from our examples above.

Within my dynamic toml:

  [http.middlewares]
    [http.middlewares.forward-auth.forwardauth]
      address = "http://traefik-forward-auth:4181"
      trustForwardHeader = true
      authResponseHeaders = ["X-Forwarded-User"]

And then my traefik-foward-auth router also has this middleware applied:

      - "traefik.http.routers.traefik-forward-auth-https.middlewares=forward-auth@file"

dalanmiller on Sep 14, 2019