I'm using Docker to setup some services and Traefik 2 acts as a reverse proxy for these services. So far I was using Basic Auth to protect the access to the services, but I'm trying to get rid of the user/pass prompt.
Looking at the Traefik's documentation, I found the "ForwardAuth" middleware which seems fine. I'm planning to use it to replace Basic Auth, but a full implementation example is not provided as an example, and I'm having a hard time trying to set it up.
So far, thanks to Traefik forward-auth, I'm successfully calling a specific URL on a remote server in charge of the authentication (this server is developped with Spring Boot by myself). I understand that if the authentication server answers 200, it means "authentication success" while another code means "authentication failure". Yet, I'm currently unable to write the authentication code on the remote server as I don't know how to check if I must return 200 or something else. Especially I don't know how to communicate information between Traefik and the authentication server.
Basically, the problems I have are:
- I can't ask the user for his/her username/password using Traefik
- When the authentication server receives the request from Traefik, it has no way to define that the source request was a previously authenticated user
The following picture shows most of my concerns:
What I'd like to achieve is the following behavior:
- The user tries to access to the Docker services without entering any username/password
- Traefik determines that the user is not authenticated, thanks to forward-auth it asks the authentication server for authentication
- The authentication server determines that the user is not authenticated, the user is redirected to the login page
- The user enters his/her username/password on the authentication server
- The user is redirected to the Docker services
- Traefik determines that the user is authenticated
So far, I can successfully achieve step 1 to 5, but I don't know how to achieve step 6.
Is this the right way to use ForwardAuth? If it is, are there some headers I must use to transfer the auth information? If not, is it possible to achieve what I want using ForwardAuth?
As far as i understand, traefik also forwards Any headers accompaning the original request. If you are not filtering Any. see docs traefik forward-auth.