traefiktraefik-authentication

How to configure forward auth in Traefik 2?

I'm migrating an old API to Traefik 2 and I can't get forward auth to work. The configuration below is pretty much the equivalent of what we had with Traefik 1.7, but I keep getting "404 page not found" for everything unless I comment out the entry point middleware as well as the auth labels. The Traefik documentation doesn't seem to explain this in any more detail besides adding the middleware itself and some configuration options.

As I understand it this should do forward auth for the web and websecure entry points to the auth entry point and I assigned the /auth path on the auth entry point to our API container.

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      middlewares = ["auth"]
  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
      middlewares = ["auth"]
    [entryPoints.websecure.http.tls]
  [entryPoints.auth]
    address = ":7000"

[http.middlewares]
  [http.middlewares.auth.forwardAuth]
    address = "http://127.0.0.1:7000/auth"

version: '3.8'
services:
  proxy:
    image: traefik:2.8
    volumes:
    ports:
      - 80:80
      - 443:443
      - 7000:7000
  api:
    image: api
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.api.entrypoints=websecure
        - traefik.http.routers.api.rule=Host(`api.example.org`)
        - traefik.http.services.api.loadbalancer.server.port=8000
        - traefik.http.routers.auth.entrypoints=auth
        - traefik.http.routers.auth.rule=PathPrefix(`/auth`)
        - traefik.http.services.auth.loadbalancer.server.port=8000
Solution

  • I figured out my configuration had 2 issues.

    1. Middleware must be defined using the dynamic configurtation (note the change to auth@file):
    [entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      middlewares = ["auth@file"]
  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
      middlewares = ["auth@file"]
    [entryPoints.websecure.http.tls]
  [entryPoints.auth]
    address = ":7000"

[providers.file]
  filename = "/etc/traefik/dynamic.toml"

    [http.middlewares]
  [http.middlewares.auth.forwardAuth]
    address = "http://127.0.0.1:7000/auth"
    1. Multiple router definitions require explicit service targets:
    version: '3.8'
services:
  api:
    image: api
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.api.entrypoints=websecure
        - traefik.http.routers.api.rule=Host(`api.example.org`)
        - traefik.http.routers.api.service=api # Required
        - traefik.http.services.api.loadbalancer.server.port=8000
        - traefik.http.routers.auth.entrypoints=auth
        - traefik.http.routers.auth.rule=PathPrefix(`/auth`)
        - traefik.http.routers.auth.service=auth # Required
        - traefik.http.services.auth.loadbalancer.server.port=8000