Pathauth is a middleware plugin for Traefik to apply more detailed authorization to multiple endpoints at once. This plugin was developed to work well together with Traefik Enterprise OpenId Connection Authentication Middleware and thomseddon traefik-forward-auth
pilot:token: "xxxxx"experimental:plugins:pathauth:moduleName: "github.com/nilskohrs/pathauth"version: "v0.1.5"
http:middlewares:pathauth-foo:pathauth:source:type: "header" # optional, default = headername: "X-Forwarded-User"delimiter: "," # the delimiter is useful if the input header has multiple values, for example roles. We can then check if the request meets any of the values from the headers. optionalauthorization:- path:- ".*/admin/.*" # regex, multiple paths allowed- ".*/swagger-ui/.*"host:- "^example.com$" # regex, optional, multiple hosts allowed- "^foo.example.com$"allowed:- "update-only-user"- "admin-user"priority: 0 # the priority in which the authorization rule will be checked. Higher priority will be checked first. optional, default = 0- path: ".*/admin/.*"method: # http methods which this rule matches with. optional, default = all methods- GETallowed: "admin-user"priority: 1
Authorization rules are being processed in descending order of their assigned priority. Using overlapping authorization rules with the same priority should be avoided as there is no guarantee in which order rules with the same priority will be processed.