[BUG] Can't set whitelist for rule

[gabriel-milan]

Hello there, first of all thanks for the amazing project!

I've been facing some issues on the traefik-v2/kubernetes/advanced-separate-pod example.

When I set a "global" whitelist on my traefik-forward-auth.ini file, such as:

log-level = "debug"
log-format = "pretty"
cookie-domain = "my-ip.nip.io"
insecure-cookie = false
whitelist = my@email.com

it works fine! But, unfortunately, when I try to do:

log-level = "debug"
log-format = "pretty"
cookie-domain = "my-ip.nip.io"
insecure-cookie = false

rule.whoami.rule=Host("whoami.my-ip.nip.io")
rule.whoami.whitelist=my@email.com

it doesn't. In the logs I can see that no whitelist has been set for the whoami rule:

time="2021-12-14T19:00:39Z" level=debug msg="Starting with config" config="{\"LogLevel\":\"debug\",\"LogFormat\":\"pretty\",\"AuthHost\":\"auth.example.com\",\"CookieDomains\":[{\"Domain\":\"my-ip.nip.io\",\"DomainLen\":20,\"SubDomain\":\".my-ip.nip.io\",\"SubDomainLen\":21}],\"InsecureCookie\":false,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"DefaultProvider\":\"google\",\"Domains\":[\"example.com\"],\"LifetimeString\":43200,\"LogoutRedirect\":\"\",\"MatchWhitelistOrDomain\":false,\"Path\":\"/_oauth\",\"Whitelist\":null,\"Providers\":{\"Google\":{\"ClientID\":\"69249607839-l35k26730jj8boj538mvd3ojf09ihui8.apps.googleusercontent.com\",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"select_account\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}},\"OIDC\":{\"IssuerURL\":\"\",\"ClientID\":\"\",\"Resource\":\"\",\"Config\":null},\"GenericOAuth\":{\"AuthURL\":\"\",\"TokenURL\":\"\",\"UserURL\":\"\",\"ClientID\":\"\",\"Scopes\":[\"profile\",\"email\"],\"TokenStyle\":\"header\",\"Resource\":\"\",\"Config\":null}},\"Rules\":{\"whoami\":{\"Action\":\"auth\",\"Rule\":\"Host(\\\"whoami.my-ip.nip.io\\\")\",\"Provider\":\"google\"}},\"Lifetime\":43200000000000,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"\",\"PromptLegacy\":\"\"}"

(a little prettier now)

"Rules": {
  "whoami":{
    "Action": "auth",
    "Rule": Host("whoami.my-ip.nip.io"),
    "Provider":"google"
  }
}

This leads me to the following error:

level=warning msg="Invalid email" email=my@email.com handler=Auth host=whoami.my-ip.nip.io method=GET proto=https rule=whoami

As you can see, it's going through the correct rule, but unfortunately it's not setting any whitelist for it.

Am I missing something on my config file?

[rcomanne]

I am experiencing exactly the same, when defining whitelist(s) on rules, they seem to be totally discarded. Not only do they not show up in the logged config on startup, but everyone keeps access.

[joeryan]

I could not get defined domains on specific rules working either. Only global settings are being used on the latest image.

[rsubr]

I am experiencing exactly the same, when defining whitelist(s) on rules, they seem to be totally discarded. Not only do they not show up in the logged config on startup, but everyone keeps access.

I'm facing the same problem. A rule with a whitelist is getting ignored entirely, everyone gets access.

[DeadPackets]

I solved this problem by using the latest tag for this image instead of 2 as recommended in the README.

[osotechie]

I have been trying to get rules with a whitelist working... I have tried different image versions and nothing seems to work.

This is my config: `Traefik-Forward-Auth: container_name: Traefik-Forward-Auth hostname: Traefik-Forward-Auth image: thomseddon/traefik-forward-auth:latest restart: always
networks: IoT: ipv4_address: 10.1.11.253 environment:

• TZ=${TZ}
• PROVIDERS_GOOGLE_CLIENT_ID=${CLIENT_ID}
• PROVIDERS_GOOGLE_CLIENT_SECRET=${CLIENT_SECRET}
• SECRET=${SECRET}
• INSECURE_COOKIE=false
• COOKIE_DOMAIN=${DOMAIN}
• AUTH_HOST=auth.${DOMAIN}
• WHITELIST=${TRAEFIK_AUTH_USER1}
• LOG_LEVEL=info
• LOG_FORMAT=json command:
• --rule.File.action=auth
• --rule.File.rule=Host('file.${DOMAIN}')
• --rule.File.whitelist=${TRAEFIK_AUTH_USER1}
• --rule.File.whitelist=${TRAEFIK_AUTH_USER2} depends_on:
  • Traefik labels:

    Traefik - Service

• traefik.enable=true
• traefik.http.services.forwardauth.loadbalancer.server.port=4181

  Traefik - Router - HTTPS

• traefik.http.routers.forwardauth.rule=Host(auth.${DOMAIN})
• traefik.http.routers.forwardauth.entryPoints=websecure
• traefik.http.routers.forwardauth.tls.certresolver=cloudflare
• traefik.http.routers.forwardauth.middlewares=Real-IP@file, Headers@file, CrowdSec@file, GoogleAuth@file`

No matter what I do when I check the logs any request against file.${DOMAIN} does not show it using the File rule. It instead shows it using the default rule.