Loop when authorising user?
PixNyb opened this issue · 3 comments
PixNyb commented
I've tried to follow the setup and examples as closely as i can, and look through the issues as much as possible but i can't seem to get the forward auth container to work properly. Everything works up until the redirect back to the auth service, which sends me back to the login page and eventually enters a loop until the provider has had enough and logs me back out. I'm probably missing something, anyone willing to help me out?
Docker compose:
services:
traefik:
image: traefik:2.11
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --providers.file.filename=/config/dynamic.yml
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=xxx@xxx.xxx
- --certificatesresolvers.le.acme.storage=/config/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --accesslog
- --log
- --api
ports:
- 80:80
- 443:443
- 2222:2222
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik:/config
networks:
- traefik
environment:
- LEGO_DISABLE_CNAME_SUPPORT=true
- CF_API_EMAIL=xxx@xxx.xxx
- CF_API_KEY=xxx
- CLOUDFLARE_PROPAGATION_TIMEOUT=3600
deploy:
placement:
constraints:
- node.role == manager
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.middlewares.extended-headers.headers.accesscontrolallowheaders=*
- traefik.http.middlewares.extended-headers.headers.contentSecurityPolicy=upgrade-insecure-requests
- traefik.http.middlewares.extended-headers.headers.referrerPolicy=no-referrer-when-downgrade
- traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=http
- traefik.http.routers.http-catchall.middlewares=https-redirect
- traefik.http.routers.http-catchall.priority=1
- traefik.http.routers.traefik-https.rule=Host(`traefik.xxx.xxx`)
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=le
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.middlewares=auth
- traefik.http.services.traefik.loadbalancer.server.port=8080
auth:
image: thomseddon/traefik-forward-auth:2
command:
- --cookie-domain=xxx.xxx
- --cookie-domain=yyy.yyy
environment:
- SECRET=xxx
- INSECURE_COOKIE=false
- DOMAIN=xxx.xxx
- DEFAULT_PROVIDER=generic-oauth
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://github.com/login/oauth/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
- PROVIDERS_GENERIC_OAUTH_USER_URL=https://api.github.com/user
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=xxx
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=xxx
- AUTH_HOST=auth.xxx.xxx
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.auth.rule=Host(`auth.xxx.xxx`)
- traefik.http.routers.auth.entrypoints=https
- traefik.http.routers.auth.tls=true
- traefik.http.routers.auth.tls.certresolver=le
- traefik.http.routers.auth.service=auth
- traefik.http.middlewares.auth.forwardauth.address=http://auth:4181
- traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true
- traefik.http.services.auth.loadbalancer.server.port=4181
whoami:
image: containous/whoami
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.whoami.rule=Host(`whoami.xxx.xxx`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.tls.certresolver=le
- traefik.http.routers.whoami.middlewares=auth
- traefik.http.services.whoami.loadbalancer.server.port=80Please note xxx.xxx is the same domain, but i've decided to redact it. yyy.yyy is a similar domain which also routes to the same traefik instance
PixNyb commented
The authorisation url i've set up in my github application is https://auth.xxx.xxx/_oauth
PixNyb commented
I've decided to try adding a different provider and the issue still remains. When i use Google it loops back to the google login page
PixNyb commented
I ended up being able to fix it by adding the auth middleware to the auth service as briefly mentioned in #362. I strongly recommend updating the examples in the example folder since the current stacks are incompatible with swarm.
My working docker stack looks like this:
services:
traefik:
image: traefik:2.11
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --providers.file.filename=/config/dynamic.yml
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.ssh.address=:2222
- --certificatesresolvers.le.acme.email=xxx@xxx.xxx
- --certificatesresolvers.le.acme.storage=/config/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --accesslog
- --log
- --api
ports:
- 80:80
- 443:443
- 2222:2222
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik:/config
networks:
- traefik
environment:
- LEGO_DISABLE_CNAME_SUPPORT=true
- CF_API_EMAIL=xxx@xxx.xxx
- CF_API_KEY=xxx
- CLOUDFLARE_PROPAGATION_TIMEOUT=3600
deploy:
placement:
constraints:
- node.role == manager
labels:
- traefik.enable=true
- traefik.docker.network=traefik
# Middleware to add security headers
- traefik.http.middlewares.extended-headers.headers.accesscontrolallowheaders=*
- traefik.http.middlewares.extended-headers.headers.contentSecurityPolicy=upgrade-insecure-requests
- traefik.http.middlewares.extended-headers.headers.referrerPolicy=no-referrer-when-downgrade
# Catch all http requests and redirect to https
- traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=http
- traefik.http.routers.http-catchall.middlewares=https-redirect
- traefik.http.routers.http-catchall.priority=1
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# Traefik dashboard
- traefik.http.routers.traefik-https.rule=Host(`traefik.xxx.xxx`)
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=le
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.middlewares=traefik-auth
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.middlewares.traefik-auth.basicAuth.usersFile=/config/users
# Redirect yyy.yyy to xxx.xxx
- traefik.http.routers.redirect-https.rule=Host(`yyy.yyy`)
- traefik.http.routers.redirect-https.entrypoints=https
- traefik.http.routers.redirect-https.middlewares=redirect-dev
- traefik.http.routers.redirect-https.tls=true
- traefik.http.routers.redirect-https.tls.certresolver=le
- traefik.http.middlewares.redirect-dev.redirectregex.regex=yyy.yyy
- traefik.http.middlewares.redirect-dev.redirectregex.replacement=xxx.xxx
- traefik.http.middlewares.redirect-dev.redirectregex.permanent=true
auth:
image: thomseddon/traefik-forward-auth:2
command:
- --match-whitelist-or-domain
environment:
- LOG_LEVEL=debug
- LOG_FORMAT=pretty
# - DOMAIN=xxx.xxx
- COOKIE_DOMAIN=xxx.xxx,yyy.yyy
- AUTH_HOST=auth.xxx.xxx
- DEFAULT_PROVIDER=google
- SECRET=xxx
- PROVIDERS_GOOGLE_CLIENT_ID=xxx
- PROVIDERS_GOOGLE_CLIENT_SECRET=xxx
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://github.com/login/oauth/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
- PROVIDERS_GENERIC_OAUTH_USER_URL=https://api.github.com/user
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=xxx
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=xxx
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.auth.rule=Host(`auth.xxx.xxx`)
- traefik.http.routers.auth.entrypoints=https
- traefik.http.routers.auth.tls=true
- traefik.http.routers.auth.tls.certresolver=le
- traefik.http.routers.auth.service=auth
- traefik.http.routers.auth.middlewares=auth
- traefik.http.middlewares.auth.forwardauth.address=http://auth:4181
- traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true
- traefik.http.services.auth.loadbalancer.server.port=4181
whoami:
image: containous/whoami
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.whoami.rule=Host(`whoami.xxx.xxx`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.tls.certresolver=le
- traefik.http.routers.whoami.middlewares=auth
- traefik.http.services.whoami.loadbalancer.server.port=80