Traefik: Forward Authentication not working

Question

I'm trying to adapt the tutorial available here with the authentication config detailed on official Trafik documentation.

I created a simple service that always respond with 200 OK when receive a GET request on this address: http://172.27.10.56:9999/verify

Then, I changed my traefik.toml, and included this:

[entrypoints.http.auth.forward]
address = "http://172.27.10.56:9999/verify"

But my authentication service is never called. In fact, with this config, the traefik stop to redirect all requests.

Here is my Dockerfile:

FROM traefik:v1.4.1-alpine
ADD traefik.toml /traefik.toml

Here is my traefik.toml

debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entrypoints.http.auth.forward]
    address = "http://172.27.10.56:9999/verify"

[web]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "docker.localhost"
watch = true

and Here is my docker-compose.yaml

traefik:
  image: dsp/traefik
  ports:
    - "80:80"
    - "8080:8080"
    - "443:443"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock

machine:
  image: katacoda/docker-http-server
  labels:
    - "traefik.backend=machine-echo"
    - "traefik.frontend.rule=Host:machine-echo.example.com"

echo:
  image: katacoda/docker-http-server:v2
  labels:
    - "traefik.backend=echo"
    - "traefik.frontend.rule=Host:echo-echo.example.com"

and here is the output of traefik startup:

time="2017-10-26T15:00:17Z" level=info msg="Using TOML configuration file //traefik.toml" 
time="2017-10-26T15:00:17Z" level=info msg="Traefik version v1.4.1 built on 2017-10-24_05:25:28PM" 
time="2017-10-26T15:00:17Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":"","TLS":null,"Redirect":null,"Auth":{"Basic":null,"Digest":null,"Forward":{"Address":"http://172.27.10.56:9999/verify","TLS":null,"TrustForwardHeader":false},"HeaderField":""},"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":0,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Docker":{"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"docker.localhost","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":false,"CurrentConfigurations":null,"Stats":null,"StatsRecorder":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}" 
time="2017-10-26T15:00:17Z" level=info msg="Preparing server http &{Network: Address: TLS:<nil> Redirect:<nil> Auth:0xc4204da780 WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc4202a07c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s" 
time="2017-10-26T15:00:17Z" level=info msg="Starting provider *docker.Provider {"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"docker.localhost","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false}" 
time="2017-10-26T15:00:17Z" level=info msg="Starting server on " 
time="2017-10-26T15:00:17Z" level=info msg="Starting provider *web.Provider {"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":true,"CurrentConfigurations":{},"Stats":{"Uptime":"2017-10-26T15:00:17.777369487Z","Pid":1,"ResponseCounts":{},"TotalResponseCounts":{},"TotalResponseTime":"0001-01-01T00:00:00Z"},"StatsRecorder":null}" 
time="2017-10-26T15:00:17Z" level=debug msg="Provider connection established with docker 17.10.0-ce-rc1 (API 1.33)" 
time="2017-10-26T15:00:17Z" level=debug msg="Validation of load balancer method for backend backend-echo failed: invalid load-balancing method ''. Using default method wrr." 
time="2017-10-26T15:00:17Z" level=debug msg="Validation of load balancer method for backend backend-machine-echo failed: invalid load-balancing method ''. Using default method wrr." 
time="2017-10-26T15:00:17Z" level=debug msg="Validation of load balancer method for backend backend-traefik-traefik failed: invalid load-balancing method ''. Using default method wrr." 
time="2017-10-26T15:00:17Z" level=debug msg="Configuration received from provider docker: {"backends":{"backend-echo":{"servers":{"server-traefik_echo_1":{"url":"http://172.17.0.2:80","weight":0}},"loadBalancer":{"method":"wrr"}},"backend-machine-echo":{"servers":{"server-traefik_machine_1":{"url":"http://172.17.0.3:80","weight":0}},"loadBalancer":{"method":"wrr"}},"backend-traefik-traefik":{"servers":{"server-traefik_traefik_1":{"url":"http://172.17.0.4:80","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-Host-echo-echo-example-com":{"entryPoints":["http"],"backend":"backend-echo","routes":{"route-frontend-Host-echo-echo-example-com":{"rule":"Host:echo-echo.example.com"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}},"frontend-Host-machine-echo-example-com":{"entryPoints":["http"],"backend":"backend-machine-echo","routes":{"route-frontend-Host-machine-echo-example-com":{"rule":"Host:machine-echo.example.com"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}},"frontend-Host-traefik-traefik-docker-localhost":{"entryPoints":["http"],"backend":"backend-traefik-traefik","routes":{"route-frontend-Host-traefik-traefik-docker-localhost":{"rule":"Host:traefik.traefik.docker.localhost"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}}}}" 
time="2017-10-26T15:00:17Z" level=debug msg="Last docker config received more than 2s, OK" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating frontend frontend-Host-echo-echo-example-com" 
time="2017-10-26T15:00:17Z" level=debug msg="Wiring frontend frontend-Host-echo-echo-example-com to entryPoint http" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating route route-frontend-Host-echo-echo-example-com Host:echo-echo.example.com" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating backend backend-echo" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating load-balancer wrr" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating server server-traefik_echo_1 at http://172.17.0.2:80 with weight 0" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating frontend frontend-Host-machine-echo-example-com" 
time="2017-10-26T15:00:17Z" level=debug msg="Wiring frontend frontend-Host-machine-echo-example-com to entryPoint http" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating route route-frontend-Host-machine-echo-example-com Host:machine-echo.example.com" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating backend backend-machine-echo" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating load-balancer wrr" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating server server-traefik_machine_1 at http://172.17.0.3:80 with weight 0" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating frontend frontend-Host-traefik-traefik-docker-localhost" 
time="2017-10-26T15:00:17Z" level=debug msg="Wiring frontend frontend-Host-traefik-traefik-docker-localhost to entryPoint http" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating route route-frontend-Host-traefik-traefik-docker-localhost Host:traefik.traefik.docker.localhost" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating backend backend-traefik-traefik" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating load-balancer wrr" 
time="2017-10-26T15:00:17Z" level=debug msg="Creating server server-traefik_traefik_1 at http://172.17.0.4:80 with weight 0" 
time="2017-10-26T15:00:17Z" level=info msg="Server configuration reloaded on " 

When I test the Traefik, here is the output:

curl -H Host:machine-echo.example.com http://127.0.0.1
curl: (56) Recv failure: Connection reset by peer

But, when I removed the forward authentication config from traefik.toml, the request was successfully redirected to the docker container:

curl -H Host:machine-echo.example.com http://127.0.0.1
<h1>This request was processed by host: 2a291e3bb05f</h1>

What could possibly be wrong?

Answer 1

Looks like there is a typo in the docs. Took me a while to figure that out:

[entrypoints.http.auth.forward]

should be:

[entryPoints.http.auth.forward]

Capital "P" in "entryPoints"