Basic auth credentials are omitted on api requests
jansauer opened this issue · 1 comments
It is possible to setup a context with a api url that contains authentication credentials for basic auth but when the cli does request to the api they get omitted.
Steps to reproduce:
- Generate some
$ htpasswd -nbBC 8 fn mysecretpassword
fn:$2y$08$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2
- Start a local fn instance with a proxy in front of it that does the basic authentication via docker. Replace the hostname with your own!
$ docker network create fn
$ docker run -d --rm \
--name fn \
--privileged \
--volume /var/run/docker.sock:/var/run/docker.sock \
--network fn \
--label traefik.enable=true \
--label traefik.port=8080 \
--label traefik.frontend.rule=Host:MacBook-Pro-2.fritz.box \
--label traefik.frontend.auth.basic.users=fn:\$2y\$08\$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2 \
fnproject/fnserver:0.3.707
$ docker run -d --rm \
--name traefik \
--volume /var/run/docker.sock:/var/run/docker.sock \
--network fn \
--publish 80:80 \
--publish 8080:8080 \
traefik:v1.7.12-alpine \
--entryPoints='Name:http Address::80' \
--defaultentrypoints='http' \
--docker \
--docker.domain=MacBook-Pro-2.fritz.box \
--docker.exposedbydefault=false \
--loglevel=INFO
Traefik is a cloud native reverse proxy / load-balancer. In this setup traefik searches docker for running containers and routes traffic based on labels it finds on the containers.
- Check that the fn api is up and requires basic authentication.
$ curl MacBook-Pro-2.fritz.box/v2/apps
401 Unauthorized
$ curl fn:mysecretpassword@MacBook-Pro-2.fritz.box/v2/apps
{"items":[]}%
- Setup a context with the fn cli
$ fn create context --api-url "http://fn:mysecretpassword@MacBook-Pro-2.fritz.box" auth
Successfully created context: auth
$ fn use ctx auth
Now using context: auth
$ fn list contexts
CURRENT NAME PROVIDER API URL REGISTRY
* auth default http://fn:mysecretpassword@MacBook-Pro-2.fritz.box
default default http://localhost:8080
- Query something
$ fn list apps
Fn: &{ } (*modelsv2.Error) is not supported by the TextConsumer, can be resolved by supporting TextUnmarshaler interface
See 'fn <command> --help' for more information. Client version: 0.5.81
Unfortunately this error message is not really user friendly / understandable. But it is possible to use the traefik Total Status Code Count at http://localhost:8080/dashboard/status to see that the proxy responded with 401 Unauthorized.
I also used a http debug proxy (charles) to verify that the a authorization header is missing on the requests to the backend.
Expected behaviour
- A better error message in cases where api calls do not succeed.
- If it is possible to setup an api url with basic auth credentials i expect them to be used for request. Or at least not be able the successfully configure a api url with credentials
2 years later, I am facing this problem. Hopefully this will get supported soon.
Reason being I have multiple dashboards (traefik included), each using basic auth middleware. As such it is useful to get the 401 metrics.