205hlab-mirrors/traefik
2
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2026-06-18 19:38:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix trustForwardHeader on forward auth middleware

Browse Source
This commit is contained in:
Julien Salleyron
2026-04-17 15:42:05 +02:00
committed by GitHub
parent 184de70aef
commit 5e1de22584
15 changed files with 681 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/content/middlewares/http/forwardauth.md
+16
View File
@@ -130,6 +130,22 @@ http:
### `trustForwardHeader`
!!! warning
If `trustForwardHeader` is not explicitly set, Traefik will log a warning at startup and use a legacy behavior where some `X-Forwarded-*` headers (e.g. `X-Forwarded-For`, `X-Forwarded-Proto`) are removed but others (e.g. `X-Forwarded-Prefix`) are forwarded untouched.
To silence this warning, explicitly set `trustForwardHeader` to `true` or `false`.
!!! tip "Recommended configuration"
The recommended approach is to configure trusted IPs at the [EntryPoint level](../../routing/entrypoints.md#forwarded-headers) using `forwardedHeaders.trustedIPs`, and set `trustForwardHeader: true` on this middleware.
With this setup, the EntryPoint is responsible for sanitizing incoming `X-Forwarded-*` headers:
it strips any such headers sent by untrusted clients and only preserves those coming from trusted upstream proxies.
By the time the ForwardAuth middleware processes the request, all `X-Forwarded-*` headers are guaranteed to be trustworthy,
including those intentionally added by other middlewares in the chain — for example, the `X-Forwarded-Prefix` header set by the [StripPrefix](stripprefix.md) middleware.
Setting `trustForwardHeader: true` on this middleware then simply tells ForwardAuth to forward all those (already sanitized) headers to the authentication server.
Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
```yaml tab="Docker"
docs/content/migration/v2.md
+9
View File
@@ -795,3 +795,12 @@ Previously, a `Chain` could reference middlewares in other namespaces regardless
If `allowCrossNamespace` is set to `false` (the default) and a `Chain` middleware references a middleware in a different namespace from its own,
the whole `Chain` is now rejected and an error is logged.
### ForwardAuth middleware: `trustForwardHeader`
In `v2.11.43`, when `trustForwardHeader` is not explicitly set, Traefik logs a warning as its behavior is inconsistent:
some `X-Forwarded-*` headers (e.g. `X-Forwarded-For`, `X-Forwarded-Proto`) are removed while others (e.g. `X-Forwarded-Prefix`) are forwarded untouched.
To silence the warning and avoid security concerns, explicitly set `trustForwardHeader` to `true` or `false` in your ForwardAuth middleware configuration.
Please check out the [ForwardAuth](../middlewares/http/forwardauth.md#trustforwardheader) middleware documentation for more details.