I'm trying to adapt this Docker Compose example to use Traefik's ForwardAuth middleware, using https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/traefik-v2/swarm/docker-compose-auth-host.yml as an example.
I have the following docker-compose.yml
:
version: "3.3"
services:
traefik:
image: "traefik:v3.1"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
traefik-forward-auth:
build: ./auth
labels:
- "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.localhost.com`)"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
With the following directory structure:
.
├── auth
│ ├── Dockerfile
│ ├── authserver.go
│ └── go.mod
└── docker-compose.yml
where authserver.go
is a simplified authorization server that requires the Authorization
header to be Bearer me
:
package main
import (
"log"
"net/http"
"strings"
)
func main() {
http.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
if strings.TrimSpace(strings.Replace(r.Header.Get("Authorization"), "Bearer", "", 1)) != "me" {
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return
}
})
log.Fatal(http.ListenAndServe(":4181", nil))
}
Here is its Dockerfile:
FROM golang:1.23
WORKDIR /app
COPY go.mod ./
RUN go mod download
COPY *.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -o /authserver
EXPOSE 8080
CMD ["/authserver"]
The problem is that the auth middleware seems to not be active, that is, if I run
docker-compose build && docker-compose up
and navigate to whoami.localhost
in my browser, I see a response:
whereas I would expect to get a 401
response due to the Authorization
header being absent.
It is a bit unclear to me from the configuration example in the documentation,
which container this label should be applied to: is it the auth server or the container that ForwardAuth middleware should be applied to? The example I linked earlier suggests it is the former, but I would have thought the latter. Any ideas on how to fix this example so that requests to whoami.localhost
require an authorization header?
You need to assign the declared traefik-forward-auth
middlewares to the target service in the labels on the target router:
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"