Bearer header seems to get lost

[amenk]

There is some case where it does not work well:

If we have a Bearer-based authentication behind Traefik and access it from a whitelisted IP, the Bearer header seems to get lost.

[kingjan1999]

Hi,

that's true, as this plugin overwrites any existing header with the predefined credentials to make the basic auth middleware work. It might be possible to work around this by using a certain middleware chaining:

1. Copy Authorization to X-Authorization
2. The middleware from this plugin
3. The basic auth middleware
4. Copy X-Authorization to Authorization

[amenk]

Okay, thank you. We understand. Thanks for the workaround. Wondering if there is another way, for example by just sending the Basic Auth headers if the IP does not match and not using the built-in basic auth middle ware :) But that would probably require a greater rewrite of the plugin.

[kolaente]

@kingjan1999 What middleware would you use to copy the headers? AFAIK there's none in the default traefik middlewares which would be capable of doing that, did I miss something? Or would that be another plugin?

[kingjan1999]

@kolaente I think there is a plugin for that

[amenk]

Interesting. did anybody try that yet?

Is there an easier solution which involves less plugins? But if it works, who cares :-)

[amenk]

I finally had the time to try this out and it seems to work well

experimental:
  plugins:
    traefik-plugin-exception-authbasic:
      moduleName: "github.com/kingjan1999/traefik-plugin-exception-authbasic"
      version: "v1.0.2"
    duplicateheader:
      moduleName: "github.com/containeroo/duplicateheader"
      version: "v1.0.15"

# This config defines security middlewares for customer services.
http:
  middlewares:
    customersecure:
      chain:
	middlewares:
	  - backup-header
	  - customer-ip
	  - customer-basic
	  - restore-header
    backup-header:
      plugin:
	duplicateheader:
	  source: Authorization
	  destination:
	    - X-Backup-Authorization
    customer-ip:
      plugin:
	traefik-plugin-exception-authbasic:
	  allowIPList:
	    # Test allow list entry
	    - 127.0.0.1
	  user: customer
	  password: customer
    customer-basic:
      basicAuth:
	users:
	  - "customer:$apr1$SkznMsj0$N2qZA/D5ORbwjQoyNLC9D0" # Password: customer
    restore-header:
      plugin:
	duplicateheader:
	  source: X-Backup-Authorization
	  destination:
	    - Authorization