1

I've been trying to develop a custom auth thing for Traefik using Django and the ForwardAuth middleware. Unfortunately, I'm having troubles with the provided headers for my application:

  • My auth app has three endpoints:

    • /auth/, which checks whether the user is authenticated. If it is, returns a "OK" with status code 200. If it's not, tries to get the X-Forwarded-Host in order to build a redirect argument using f"?redirect={request.headers['X-Forwarded-Proto']}://{request.headers['X-Forwarded-Host']}" and then redirect to /auth/login/{redirect_url}
    • /auth/login, which renders a form and then authenticates with Django (it uses the same logic as /auth/ for setting up a redirect URL
    • /auth/logout

  • It's exposed at https://auth.my-ip.nip.io, using the following:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: django-auth
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.my-ip.nip.io`)
      kind: Rule
      services:
        - name: django-auth
          port: 80
  tls:
    secretName: auth.my-ip.nip.io
  • The middleware is configured as follows:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: django-auth
spec:
  forwardAuth:
    address: https://auth.my-ip.nip.io:443/auth/
    trustForwardHeader: true
  • Finally, I've got an example app exposed and using the django-auth middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: game-2048
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`2048.my-ip.nip.io`)
      kind: Rule
      services:
        - name: game-2048
          port: 80
      middlewares:
        - name: django-auth
  tls:
    secretName: 2048.my-ip.nip.io

But then, when I try to access https://2048.my-ip.nip.io, I'm getting the following headers on my /auth/ Django view:

{
  ...
  'X-Forwarded-Host': 'auth.my-ip.nip.io:443',
  'X-Forwarded-Proto': 'https',
  ...
}

which then forces my app to identify https://auth.my-ip.nip.io as the redirect URL, while it should be https://2048.my-ip.nip.io so I could return to my example app.

I'd be glad if you could help me, I'm probably missing something. Thanks in advance!

EDIT: Traefik is deployed using Helm with default values, version is 2.5.4.

Gabriel Milan
  • 702
  • 2
  • 7
  • 21

0 Answers0