Mailu should redirect to proxy authentication endpoints for users of proxy header authentication

[ekrekeler]

Environment & Version

Environment

• docker-compose
• kubernetes
• docker swarm

Version

• Version: master

Description

This is related to #1972.
I've been testing proxy authentication with a new deployment of mailu. It works as expected, however there is one issue. The default login redirect for WEB_WEBMAIL path /webmail, and WEB_ADMIN path /admin will use /sso/login, where the user is prompted for credentials after completing SSO workflow. When using a proxy for auth, mailu should redirect logins to WEB_WEBMAIL to /sso/proxy and WEB_ADMIN logins to /sso/proxy/admin. We should have a setting in the configuration (disabled by default) to enable redirect to the proxy authentication endpoints. This would keep mailu from prompting users for their credentials where we expect all users to authenticate through the proxy. If proxy authentication breaks or there are users that do not authenticate through the proxy, users can still login by navigating to /sso/login.

As a workaround, I have configured requests to the base URL / to redirect to /sso/proxy using my proxy, but it's not an ideal solution. There is no way to redirect requests to /webmail and /admin to /sso/proxy because the proxy cannot tell if the request has been authenticated against mailu. Configuring redirects on those endpoints will only cause a redirect loop.

Replication Steps

Using docker-compose and mailu master tag. Tested with Google Chrome version 110 on Windows.

1. Deploy mailu with a reverse proxy to perform authentication. I am using traefik2 for proxy and authentik for IdP.
2. Configure a user in IdP that will authenticate to mailu. Optionally enable PROXY_AUTH_CREATE in mailu config.
3. Confirm authentication through proxy works by navigating to /sso/proxy. A successful login will load Webmail.
4. Logout of any sessions via mailu, or clear cookies set by mailu.
5. Navigate to base URL /, webmail endpoint /webmail, and admin endpoint /admin.

Observed behaviour

The base URL / redirects to /webmail. This is expected. However, proxy authenticated requests to /webmail and /admin are redirected to /sso/login. Note the requests are correctly authenticated through the proxy, but not yet authenticated with mailu as it hasn't set the roundcube/rainloop/admin session cookies yet. When the browser is redirected here, mailu prompts the user for credentials which we don't want for users already authenticated through the proxy.

Expected behaviour

In environments where a proxy is configured for header authentication to mailu, requests to WEB_WEBMAIL (/webmail) and WEB_ADMIN (/admin) should redirect to /sso/proxy and /sso/proxy/admin respectively when the session cookies are unset/invalid/expired.

Logs

I don't think logs are necessary for this, but let me know if I can help by providing any.

[dasbenjo]

my workaround is to redirect all incoming request from /sso/login to /sso/proxy this works very good on my end. Also I redirected /sso/logout to the logout route of my proxy (e.g. for authentik: /outpost.goauthentik.io/sign_out). But I admit, it would be better if Mailu automatically redirects the /sso/login route to /sso/proxy in this setting

[ekrekeler]

Yeah I know redirecting /sso/login is an option, but you don't want to do that in production environments where you would want to keep mailu's login page as a backup if proxy authentication breaks and users need access to their webmail, or if there are a few users who do not authenticate through the proxy, such as the admin user created during mailu setup.

Thank you for bringing up /sso/logout though, I didn't consider this and think that similarly it should be a setting in the mailu configuration. The way I see it, users would still get sent to /sso/logout to invalidate the mailu session cookies, then get redirected to the URL specified in configuration (if set) to complete the logout with the proxy auth.

[nextgens]

This is not specific to proxy-auth: we currently don't "guess" nor auto-detect where we should redirect... we could attempt to parse the referer to get back to the right place.

[nextgens]

Please have a look to what's in #2697; If that's usable I guess we could retire /sso/proxy and build-in the functionality in /sso/login itself.

If the proxy is experiencing troubles, it shouldn't set the headers... in which case Mailu would display the standard login form. We could also create a special parameter for fallback/admins to ensure that proxy-auth is disabled for a specific request.

[nextgens]

@dasbenjo @ekrekeler please try the images pr-2697 on https://hub.docker.com/r/mailuci/

If that works we may want to squeeze it in before the release.

[nextgens]

This has now been merged; please upgrade to master and let me know if it doesn't fit the bill.

[ekrekeler]

Sorry @nextgens, I had some other projects that were taking my time. Thank you for being so quick to implement the changes.

I got to testing this today, using the master branch. It works as intended, at least for the proxy authentication aspects. However I did notice one thing that may be undesirable behavior:

• As an unauthenticated user behind proxy, navigating to the base URL / redirects to /webmail/?homepage, which then redirects to /sso/login?url=/webmail/?homepage where it will authenticate the user using the headers set by proxy. However upon competing the authentication, mailu redirects to /admin.

My WEBROOT_REDIRECT is set to /webmail, so I'm not sure why it's tacking on /?homepage after that. Might be intended behavior. However the /sso/login request seems not to be handled properly, since it redirects to /admin afterwards instead of the URL in URL parameters. The same redirection behavior can be reproduced after the user is logged in by navigating to /sso/login?url=/webmail/?homepage. If an unauthenticated user navigates to /webmail or /sso/login?url=/webmail, then the user gets logged into webmail correctly.

This isn't that big of a problem for my deployment since I can just use the proxy to override WEBROOT_REDIRECT and redirect requests to /webmail before mailu sees it. This might also be a completely separate issue from what we are trying to accomplish here, but wanted to bring it up.

[dasbenjo]

I also got to testing it now, and I have the same problem with the initial redirect to /admin

[fastlorenzo]

Looks like it's related to

Mailu/core/admin/mailu/sso/views/base.py

Line 103 in 1d9791c

url = _has_usable_redirect() or app.config['WEB_ADMIN']

Which is calling _has_usable_redirect():

Mailu/core/admin/mailu/sso/views/base.py

Lines 81 to 89 in 1d9791c

	def _has_usable_redirect():
	if 'homepage' in flask.request.url:
	return None
	if url := flask.request.args.get('url'):
	url = url_unquote(url)
	target = urlparse(urljoin(flask.request.url, url))
	if target.netloc == urlparse(flask.request.url).netloc:
	return target.geturl()
	return None

As homepage is in the url parameter, it returns None and this it's automatically redirecting to WEB_ADMIN.

The homepage parameter redirect is set in Nginx:

Mailu/core/nginx/conf/nginx.conf

Line 184 in 1d9791c

try_files $uri {{ WEBROOT_REDIRECT }}?homepage;

Could someone explain how the homepage parameter work and why it is required?

[nextgens]

homepage was introduced to allow the differentiation in between requests that came from the default redirect (for which @Diman0 has requested that both sign-in options are displayed) and those that are not.