homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Send request body to authorization server for forward auth

Browse source
This commit is contained in:
kyosuke 2024-12-12 18:18:05 +09:00 committed by GitHub
parent b1934231ca
commit 26738cbf93
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 411 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

92
docs/content/middlewares/http/forwardauth.md
View file

@ -334,6 +334,98 @@ http:
addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
```
### `forwardBody`
_Optional, Default=false_
Set the `forwardBody` option to `true` to send Body.
!!! info
As body is read inside Traefik before forwarding, this breaks streaming.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://example.com/auth
forwardBody: true
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
forwardBody: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
forwardBody = true
```
### `maxBodySize`
_Optional, Default=-1_
Set the `maxBodySize` to limit the body size in bytes.
If body is bigger than this, it returns a 401 (unauthorized).
Default is `-1`, which means no limit.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://example.com/auth
forwardBody: true
maxBodySize: 1000
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
maxBodySize: 1000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
forwardBody = true
maxBodySize = 1000
```
### `tls`
_Optional_

2
docs/content/reference/dynamic-configuration/docker-labels.yml
View file

@ -38,7 +38,9 @@
- "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
- "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
- "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.forwardbody=true"
- "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
- "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
- "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"

2
docs/content/reference/dynamic-configuration/file.toml
View file

@ -182,6 +182,8 @@
authRequestHeaders = ["foobar", "foobar"]
addAuthCookiesToResponse = ["foobar", "foobar"]
headerField = "foobar"
forwardBody = true
maxBodySize = 42
[http.middlewares.Middleware10.forwardAuth.tls]
ca = "foobar"
cert = "foobar"

2
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -209,6 +209,8 @@ http:
- foobar
- foobar
headerField: foobar
forwardBody: true
maxBodySize: 42
Middleware11:
grpcWeb:
allowOrigins:

9
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View file

@ -1234,6 +1234,15 @@ spec:
AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
type: string
forwardBody:
description: ForwardBody defines whether to send the request body
to the authentication server.
type: boolean
maxBodySize:
description: MaxBodySize defines the maximum body size in bytes
allowed to be forwarded to the authentication server.
format: int64
type: integer
tls:
description: TLS defines the configuration used to secure the
connection to the authentication server.

2
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -48,7 +48,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |

9
docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
View file

@ -492,6 +492,15 @@ spec:
AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
type: string
forwardBody:
description: ForwardBody defines whether to send the request body
to the authentication server.
type: boolean
maxBodySize:
description: MaxBodySize defines the maximum body size in bytes
allowed to be forwarded to the authentication server.
format: int64
type: integer
tls:
description: TLS defines the configuration used to secure the
connection to the authentication server.