azure redirect_uri returns http scheme even if I set --proxy-headers
sanzoghenzo opened this issue · 1 comments
Hi there,
as I said earlier I'm updating my quetz instance to use azure AD as authenticator.
The "login with Azure AD" correctly redirects me to my company login page, but after logging in I get a redirect Uri mismatch error because the redirect link uses the http scheme instead of https.
I searched for the issue and found out that I needed to add the --proxy-headers flag, but even with that I got the same error.
Below my configuration; I also tried changing QUETZ_SESSION_HTTPS_ONLY to true, nothing changed.
What am I missing here?
version: "3.3"
services:
quetz:
image: mambaorg/quetz:v0.6.2
volumes:
- quetz:/quetz-deployment
restart: always
command: sh -c "quetz init-db /quetz-deployment && quetz start /quetz-deployment --host 0.0.0.0 --port 8000 --proxy-headers"
labels:
- traefik.enable=true
- traefik.http.routers.quetz.rule=Host(`conda.mydomain.com`)
- traefik.http.services.quetz.loadBalancer.server.port=8000
- traefik.http.routers.quetz.tls=true
- traefik.http.routers.quetz.tls.certResolver=production
environment:
QUETZ_LOG_LEVEL: debug
QUETZ_AZUREAD_CLIENT_ID:
QUETZ_AZUREAD_CLIENT_SECRET:
QUETZ_AZUREAD_TENANT_ID:
QUETZ_SQLALCHEMY_DATABASE_URL: sqlite:////quetz-deployment/quetz.sqlite
QUETZ_SESSION_SECRET:
QUETZ_SESSION_HTTPS_ONLY: "false"
QUETZ_USERS_ADMINS: <myemail>
QUETZ_USERS_MAINTAINERS: <other,emails>
traefik:
image: "traefik:latest"
command:
- --entryPoints.web.address=:80
- --entryPoints.web.http.redirections.entryPoint.to=websecure
- --entryPoints.web.http.redirections.entryPoint.scheme=https
- --entryPoints.websecure.address=:443
- --entryPoints.websecure.http.tls.certResolver=production
# ... other traefik configs ...
volumes:
quetz:
unfilled envvars are actually set via a .env file
OK, It seems that I need to set uvicorn's FORWARDED_ALLOW_IPS environment variable to traefik ip (or "*" since traefik docker container has no fixed IP).
Now I can login, but I got the same problem as #434 ...