Don't pass the Authorization header to the backends

2018-07-16 13:52:03 +02:00 · 2018-07-16 13:52:03 +02:00 · 9ce444b91a
commit 9ce444b91a
parent ae8be89767
40 changed files with 445 additions and 130 deletions
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@ -5,6 +5,11 @@
 ### TOML

 ```toml
+defaultEntryPoints = ["http", "https"]
+
+# ...
+# ...
+
 [entryPoints]
  [entryPoints.http]
    address = ":80"
@ -40,12 +45,14 @@
    [entryPoints.http.auth]
      headerField = "X-WebAuth-User"
      [entryPoints.http.auth.basic]
+        removeHeader = true
        users = [
          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
        ]
        usersFile = "/path/to/.htpasswd"
      [entryPoints.http.auth.digest]
+        removeHeader = true
        users = [
          "test:traefik:a2688e031edb4be6a3797f3882655c05",
          "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
@ -127,7 +134,9 @@ ProxyProtocol.TrustedIPs:192.168.0.1
 ProxyProtocol.Insecure:true
 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
 Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+Auth.Basic.Removeheader:true
 Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+Auth.Digest.Removeheader:true
 Auth.HeaderField:X-WebAuth-User
 Auth.Forward.Address:https://authserver.com/auth
 Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
@ -275,18 +284,32 @@ Users can be specified directly in the TOML file, or indirectly by referencing a
  usersFile = "/path/to/.htpasswd"
 ```

-Optionally, you can pass authenticated user to application via headers
+Optionally, you can:
+
+- pass authenticated user to application via headers

 ```toml
 [entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.auth]
-    headerField = "X-WebAuth-User" # <--
+    headerField = "X-WebAuth-User" # <-- header for the authenticated user
    [entryPoints.http.auth.basic]
    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
 ```

+- remove the Authorization header
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    [entryPoints.http.auth.basic]
+    removeHeader = true # <-- remove the Authorization header
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+```
+
 ### Digest Authentication

 You can use `htdigest` to generate them.
@ -304,18 +327,32 @@ Users can be specified directly in the TOML file, or indirectly by referencing a
  usersFile = "/path/to/.htdigest"
 ```

-Optionally, you can pass authenticated user to application via headers
+Optionally, you can!
+
+- pass authenticated user to application via headers.

 ```toml
 [entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.auth]
-    headerField = "X-WebAuth-User" # <--
+    headerField = "X-WebAuth-User" # <-- header for the authenticated user
    [entryPoints.http.auth.digest]
    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
 ```

+- remove the Authorization header.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    [entryPoints.http.auth.digest]
+    removeHeader = true # <-- remove the Authorization header
+    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+```
+
 ### Forward Authentication

 This configuration will first forward the request to `http://authserver.com/auth`.