Plugin Catalog
Install a Plugin
Create a Plugin
Plugins
/HTTP Authorization Policy Middleware

HTTP Authorization Policy Middleware

v0.0.3

authz-ferris.png

HTTP Authorization Policy Middleware

CI

A Traefik middleware plugin that performs attribute-based authorization on HTTP requests using a type-safe expression language.

Overview

This plugin enables fine-grained access control based on HTTP request attributes (method, path, host, headers) using a custom expression language. Expressions are compiled and type-checked at Traefik startup, catching configuration errors before they reach production.

Key Features:

  • Type-safe expression language with compile-time validation
  • Built-in test framework validated at startup
  • Fail-closed security model (errors deny access)
  • Case-insensitive header lookups
  • Minimal overhead (compiled WASM)

Playground

Try the expression language in your browser at the online playground. You can write expressions, configure mock requests, and see evaluation results instantly — no Traefik installation required.

Installation

Add the plugin to your Traefik static configuration:

# traefik.yml
experimental:
  plugins:
    http-authz-policy-middleware:
      moduleName: github.com/andrewkroh/http-authz-policy-middleware
      version: v0.0.2

Traefik will download the plugin from the Plugin Catalog on startup.

Quick Start

http:
  middlewares:
    team-auth:
      plugin:
        authz:
          expression: 'contains(headerList("X-Auth-User-Teams"), "platform-eng")'
          denyStatusCode: 403
          denyBody: "Access denied: requires platform-eng team membership"
          tests:
            - name: "platform-eng team allowed"
              request:
                headers:
                  X-Auth-User-Teams: "platform-eng,devops"
              expect: true
            - name: "other teams denied"
              request:
                headers:
                  X-Auth-User-Teams: "marketing"
              expect: false

Expression Language Reference

Built-in Identifiers

  • method - HTTP request method (GET, POST, etc.)
  • path - Request path
  • host - Request host

Operators

  • ==, != - String equality/inequality
  • startsWith, endsWith - String prefix/suffix match
  • contains - Substring match
  • matches - Regex match (RE2 syntax)
  • AND, OR, NOT - Boolean operators

Built-in Functions

  • header(name) - Get first header value (empty string if missing)
  • headerValues(name) - Get all header values as array
  • headerList(name) - Get header value split by comma into array
  • contains(list, item) - Check if array contains item
  • anyOf(list, item1, item2, ...) - Check if array contains any of the items
  • allOf(list, item1, item2, ...) - Check if array contains all of the items

Examples

# Method check
method == "GET"

# Path-based access
path startsWith "/api/admin"

# Team membership
contains(headerList("X-Auth-User-Teams"), "platform-eng")

# Complex logic
(method == "GET" OR method == "HEAD") AND path startsWith "/public"

# Regex
matches(path, "^/api/v[0-9]+/.*")

# Multiple teams
anyOf(headerList("X-Auth-User-Teams"), "platform-eng", "devops", "sre")

Configuration Schema

Middleware Configuration:

  • expression (string, required) - Authorization expression
  • denyStatusCode (int, default: 403) - HTTP status for denied requests
  • denyBody (string, default: "Forbidden") - Response body for denied requests
  • tests (array, optional) - Test cases validated at startup

Test Case Schema:

  • name (string) - Test description
  • request (object) - Mock request with method, path, host, headers
  • expect (boolean) - Expected result (true = allow, false = deny)

Examples

Complete Traefik configurations in examples/:

License

MIT