Docker Swarm + nginx + WS-Federation: multiple redirection issue #1923
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Friend of yours? It's likely a config issue with the x-forwarded-proto or related headers. Start by sharing the troubleshooting output from here and a Fiddler trace file. |
|
Yeah, a co-worker. I'll check on the headers, but I couldn't output any troubleshooting information before using that same code block. I'll see if that was because of a logging setup. |
|
You can always write it to the response body instead. |
|
I made the changes in that article, and still only see the below in the Compose logs. The responses from localhost only send back 302s to the ADFS server, so it never has a response body in Chrome. I have updated the repo to include the forwarded headers implementation as well as writing to responses. |
|
Did you put that troubleshooting middleware at the top of Startup.Configure right after UseForwardedHeaders?
|
|
I implemented the middleware here: rynnova/docker-swarm-nginx-dotnet-wsfederation-issue@5188e9b It's in the Configure block, but there's a separate ConfigureServices block. EDIT: Interesting, I'll see if the auth URL is anything on the ADFS side. |
|
Move |
|
It did this the moment I moved it: It makes sense why it happened, but what's the right approach here, then? By the way, that line is this one: https://github.com/ryakstis/docker-swarm-nginx-dotnet-wsfederation-issue/blob/master/Startup.cs#L140 |
|
Ah, I hadn't read the contents of Middleware. Either convert it back to logs or do not call next(). |
|
It's no problem, it still posted a response, which actually led to an interesting piece of information: Looking at the Here's a sample response: |
|
Note the |
|
Okay, I tried using: private void ConfigureForwardedHeaders(
ForwardedHeadersOptions options) {
foreach (var address in Proxies)
options.KnownProxies.Add(address);
}
private IEnumerable<IPAddress> Proxies {
get {
IEnumerable<IPAddress> empty = new IPAddress[] { };
var gateway = new[] {IPAddress.Parse("172.21.0.1")};
var nginx = Dns.GetHostAddresses("web");
return nginx
.Concat(gateway)
.Select(ToMultiProtocolAddresses)
.Aggregate(empty, ConcatenateLists);
}
}
private IEnumerable<IPAddress> ToMultiProtocolAddresses(
IPAddress address) => new[]
{address.MapToIPv4(), address.MapToIPv6()};
private IEnumerable<IPAddress> ConcatenateLists(
IEnumerable<IPAddress> aggregate,
IEnumerable<IPAddress> current) => aggregate.Concat(current);...and that hasn't helped to resolve anything yet. Same redirects. |
|
If the proxy is reporting as Alternatively you could use the KnownNetworks option and accept the range |
|
Just to be safe. I'll try out EDIT: Details. The reason I added |
|
I used: private void ConfigureForwardedHeaders(
ForwardedHeadersOptions options) {
var network = new IPNetwork(IPAddress.Parse("172.21.0.0"), 8);
options.KnownNetworks.Add(network);
}...and it did not change the redirect issue. |
|
X-Forwarded-For is the client, not the proxy. What does the diagnostic output look like now? |
The Compose logs look the same as before. |
|
And if you change your IPNetwork to |
|
Same thing. 6 redirects, then "an error occurred" served by the ADFS server to the browser, with no valuable information at that page. Same headers. |
|
The ForwardedHeadersMiddleware has its own logging, it should tell you what's wrong. You may have to turn the logs up to Debug. |
|
Aha! So WS-Federation expects that port open in nginx. Unfortunately, that port changes every time I run So we can't hard-code an IP network because of Docker Swarm/Compose, and we have to have some kind of common port in the nginx configuration, since nginx doesn't support listening on dynamic ports, which would imply configuring the WS-Federation middleware to reply to authentication requests on a static port instead of a dynamic one. |
|
It's not checking the port, only the IP. You say the IP keeps changing? If it's the second octet then you can adjust the network range to allow for that. I think that would be 104. |
|
It only changes the IP when I remove the Docker network, like when I run private void ConfigureForwardedHeaders(ForwardedHeadersOptions options) {
options.KnownNetworks.Add(Network);
}
private IPNetwork _network;
private IPNetwork Network => _network ?? (_network = new IPNetwork(LocalAddress, 16));
private IPAddress LocalAddress => NetworkInterface
.GetAllNetworkInterfaces()
.Where(n => n.OperationalStatus == OperationalStatus.Up)
.Where(n => n.NetworkInterfaceType != NetworkInterfaceType.Loopback)
.SelectMany(n => n.GetIPProperties()?.GatewayAddresses)
.Select(ToGatewayAddress)
.FirstOrDefault(a => a != null);
private IPAddress ToGatewayAddress(GatewayIPAddressInformation info) {
var firstThreeOctets = info?.Address.GetAddressBytes().Take(3);
var octets = firstThreeOctets.Append((byte)0).ToArray();
return new IPAddress(octets);
}And still, multiple redirects with I'll push these changes up just to have the progress made so far. |
|
Might I suggest simplifying until you have a working scenario? Even if that means hardcoding addresses. I think your network ranges are wrong (try 8 instead of 16). I also don't see anything in your code that handles the ::ffff: prefix. Note 2.2 released yesterday and it includes handling for this. |
|
I had the I changed I then changed |
|
I have made the following changes:
So far, the multiple redirection issue remains, along with the same debug messages. |
|
Hi. It looks like this is a question about how to use ASP.NET Core. While we do our best to look through all the issues filed here, to get a faster response we suggest posting your questions to StackOverflow using the |
|
Hey @Eilon, I got responses daily here on Github with Chris, but I haven't had a response in two days on Stack Overflow, are you sure I'll get a faster response there? |
|
There's only so much time we can devote to any individual issue. |
|
Understood. Thank you for your time, @Tratcher. You were a great help on this. Hopefully someone will notice the SO question. |
I have a repo as an example for this, but essentially: under Docker Compose/Swarm with Linux Containers and using nginx, I've had trouble getting the ASP .NET Core WS-Federation library to function.
Remove nginx, serve the application from https Kestrel only, and it works fine. Use nginx as the https proxy with Kestrel using http and it redirects 6 times from the auth server before failing entirely.
What could cause this? What else would help identify the cause of this issue?
The text was updated successfully, but these errors were encountered: