Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

forwardauth with traefik 2.0 doesn't appear to work #407

Closed
ksalman opened this issue Oct 9, 2019 · 16 comments

Comments

@ksalman
Copy link

@ksalman ksalman commented Oct 9, 2019

I have this, straightforward, docker-compose.yml and traefik is just bypassing forwardauth, I think, though I don't know why. What am i doing wrong?

version: "3.7"

services:

  authelia:
    image: clems4ever/authelia:v3.15.0
    container_name: authelia
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`authelia.example.com`)"
      - "traefik.http.routers.auth.entrypoints=web"
      - "traefik.http.services.auth.loadBalancer.server.port=:9091"
    volumes:
      - ./authelia_config.yml:/etc/authelia/config.yml:ro

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.com`)"
      - "traefik.http.routers.whoami.middlewares=authme"
      - "traefik.http.middlewares.authme.forwardauth.address=http://authelia:9091"
      - "traefik.http.middlewares.authme.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.authme.forwardauth.authresponseheaders=X-Forwarded-User"
curl -H Host:example.com http://localhost
Hostname: c308a2f5468a
IP: 127.0.0.1
IP: 192.168.16.3
RemoteAddr: 192.168.16.2:41250
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.58.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.16.1
X-Forwarded-Host: example.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 6e5c7bd69ec5
X-Real-Ip: 192.168.16.1
@ksalman

This comment has been minimized.

Copy link
Author

@ksalman ksalman commented Oct 10, 2019

closing this

@ksalman ksalman closed this Oct 10, 2019
@Peaches491

This comment has been minimized.

Copy link
Contributor

@Peaches491 Peaches491 commented Nov 12, 2019

@ksalman Why did you close this? Can you post a resolution, or any more info you found?

@ksalman

This comment has been minimized.

Copy link
Author

@ksalman ksalman commented Nov 15, 2019

I had closed this because I wasn't sure if the issue is with authelia or that I am simply not connecting the traefik middleware correctly. I haven't had the time to look at this since than so I don't have a resolution unfortunately.

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 18, 2019

I'm sorry for the late reply. I cannot see how Traefik can know the auth should be forwarded to /api/verify endpoint from Authelia. That's probably a good starting point. The expected forwarding rule is as follows in the integration test for Traefik:

- traefik.frontend.auth.forward.address=http://192.168.240.1:9091/api/verify?rd=https://login.example.com:8080/%23/

You can re-open the issue if you want more help.

@Peaches491

This comment has been minimized.

Copy link
Contributor

@Peaches491 Peaches491 commented Nov 18, 2019

@clems4ever It would be great to have centralized documentation for all available API endpoints. Especially those which are useful to people trying to integrate with other systems.

Is there an endpoint available for "redirect if logged in, otherwise show login page" ?

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 18, 2019

@clems4ever It would be great to have centralized documentation for all available API endpoints. Especially those which are useful to people trying to integrate with other systems.

I totally agree and that's why I think I will come up with a Swagger documentation at some point (soon hopefully).

Is there an endpoint available for "redirect if logged in, otherwise show login page" ?

/api/verify is the one you're looking for. I think using the above docker-compose with the right forwarding rule should fix the issue.

@clems4ever clems4ever reopened this Nov 18, 2019
@Peaches491

This comment has been minimized.

Copy link
Contributor

@Peaches491 Peaches491 commented Nov 21, 2019

Aha! @clems4ever your linked snippet worked! What I hadn't realized is that the ?rd= query parameter is where you get redirected if authentication fails! I thought that was where you got sent if authentication worked, and you would get the login page otherwise

Renaming it to something like ?rdOnAuthFailure might make it more understandable.

- traefik.frontend.auth.forward.address=http://192.168.240.1:9091/api/verify?rd=https://login.example.com:8080/%23/

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 21, 2019

I will document it better instead to avoid a breaking change on that part.

@Peaches491

This comment has been minimized.

Copy link
Contributor

@Peaches491 Peaches491 commented Nov 21, 2019

Rather than renaming, you could support both. rd for existing users and rdOnAuthFailure for the most up-to-date.

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 21, 2019

That would work. If you know how to do it, I'd be glad to review the change. Would you be able to?

@nightah

This comment has been minimized.

Copy link
Contributor

@nightah nightah commented Nov 21, 2019

I don’t actually understand why this needs to change at all?

The redirection link is constructed when a person isn’t authenticated, so they’re sent to the portal to authenticate and also allow Authelia to remember the final location to route said use (assuming they have access in the backend).

@Peaches491

This comment has been minimized.

Copy link
Contributor

@Peaches491 Peaches491 commented Nov 22, 2019

Ah, upon closer inspection, it appears the rd parameter is doing double duty. On the original authentication request, you might use auth.example.com/api/verify?rd=login.example.com. If the result of that check is NotAuthorized, then the user is redirected to fmt.Sprintf("%s?rd=%s", rd, targetURL.String()) (e.g. login.example.com?rd=myapp.example.com)

rd := string(ctx.QueryArgs().Peek("rd"))
if rd != "" {
redirectionURL := fmt.Sprintf("%s?rd=%s", rd, targetURL.String())

This means that the rd parameter is doing double duty. 1) On the initial auth check, redirecting to the login page, and 2) on the login page, redirecting to the original target. Trying to tease apart the two use cases to rename them is beyond my understanding at the moment.

@x3kcl

This comment has been minimized.

Copy link

@x3kcl x3kcl commented Nov 24, 2019

I just tried to add

- traefik.frontend.auth.forward.address=http://192.168.240.1:9091/api/verify?rd=https://login.example.com:8080/%23/

to my docker-compose to make authelia work with traefik 2.0, how would the 2.0 notation look like?

- "traefik.http.middlewares.authme.forwardauth.address=http://authelia:9091/api/verify?rd=http://whoami:80/%23/"

Some thing like this?

Edit: Got it working with traefik 2.0, full setup documentation
- "traefik.http.middlewares.authme.forwardauth.address=http://authelia:8080/api/verify?rd=https://auth.${DOMAINNAME}/%23/"

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 24, 2019

This means that the rd parameter is doing double duty. 1) On the initial auth check, redirecting to the login page, and 2) on the login page, redirecting to the original target. Trying to tease apart the two use cases to rename them is beyond my understanding at the moment.

@Peaches491 , you're indeed right about the two use cases. rd query arg has been added to /api/verify in order for Traefik to work, because with nginx the redirection URL is handled by the proxy itself. Unfortunately, I did not think about that wording "conflict" when I introduced it. To conclude, there is no real issue but as I said I agree with you that the name of the argument could be more expressive.

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 24, 2019

Edit: Got it working with traefik 2.0, full setup documentation

Very nice tuto, thanks @x3kcl ! You should definitely contribute by creating a markdown and put in the doc.

@clems4ever

This comment has been minimized.

Copy link
Owner

@clems4ever clems4ever commented Nov 24, 2019

I guess now it's resolved so I'm closing the thread.

@clems4ever clems4ever closed this Nov 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.