New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication keeps asking for password at random intervals #4281
Comments
Confirm this. I've configured RabbitMQ under What's going on? |
As @ldez marked this as a question I suspect it "can happen" for some valid reason, even though I do not understand how. So for me it sounds like a bug still. |
I suspect that common thing is combining |
@geraldcroes This is still a valid issue and it happens for other as well, so I am unsure this is actually a question and in actually a bug. |
This comment has been minimized.
This comment has been minimized.
@dduportal Nice that someone finally acknowledges this! |
Hi @thernstig, we re-opened this issue, as the bot mistakenly closed it. But as we cannot really reproduce it, the status is still We would be interested to see if this issue still occurs for you:
|
I am currently playing around with traefik as an GKE ingress controller, and I do have the same issue. I am using the helm chart and traefik dashboard:
enabled: true
domain: dashboard.foo.bar
serviceType: NodePort
ingress:
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: digest
ingress.kubernetes.io/auth-secret: foobar
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
tls:
- hosts:
- dashboard.foo.bar
secretName: traefik-dashboard-cert Maybe this helps you understand/debug the issue. |
I can confirm this issue with traefik Edit: What is not really clear to me is if this issue is with using the digest authentication middleware of traefik or if the service already has digest authentication? In my case it already has, different from the related link posted by @AndrewSav where the traefik middleware is used. Should I post a new issue? I tried to use the let's encrypt Docker image from linuxserver.io as a which uses nginx as reverse proxy and now it works. Another indicator that this probably is a bug. |
@geraldcroes Any input on this issue? |
Any movement on this issue? It is blocking me from using Traefik at all. I am trying to use a Traefik container (v2.1.6) as a reverse proxy which routes HTTP to two other docker containers, on the same docker swarm network, using a PathPrefix rule (i.e. if '/dals' then the request goes to one container and if '/cuts' then it goes to the other container). Using the digest auth middleware, Traefik correctly prompts for the login on the first request but also on all subsequent requests from the web page to that same server (to fetch content images, Javascript, etc). Both backend services are using HTTP without authentication. One server is Tomcat the other is a Flask/Gunicorn app. |
@dduportal Anything you think you might have time trying to fix soon? |
Hi @thernstig , I am not working neither contributing on this project, so I won't be able to help. However, if you can provide a reproduction case, this would help the maintainers. |
@dduportal thanks for the reply, I believe @hco added some code above that can reproduce it. I now also noticed that @mpl was assigned to this 👍 |
I'm not sure if this is random or not. I turned on DEBUG-level logging and increased swarm mode refresh to sixty seconds (default = 15 secs, according to the docs)
So now I can "login" (answer the digest-auth prompt challenge) and I am admitted to the protected page. Then I wait 60 seconds (until the log shows the the middleware has been recreated) and then I refresh the protected page, whereupon the digest-auth prompt appears again and I have to "login" again! Here's my entire
|
This change is two-fold: 1) it adds the distinction between two cases that were formerly only one: - when nc sent by client is equal to the last nc the server knows about, which is a hint of a replay attack) - when nc sent by client is inferior to the last nc the server knows about, which is probably just because the requests are being received out of order, compared to the order they were created. 2) in the out of order case, it signals the client that the request was authenticated properly, but not in the expected session order, through the use of the stale flag. See https://tools.ietf.org/html/rfc2617#section-3.2.1 Required for fixing traefik/traefik#4281
Closed by #6569. |
Do you want to request a feature or report a bug?
Bug
What did you do?
I am trying to access https://127.0.0.1/kibana/ with digest authentication and TLS enabled. Entering the user and password works. But sometimes when click around inside the webapp (kibana) it randomly/suddenly asks for password again.
What did you expect to see?
To only need to enter password the first time https://127.0.0.1/kibana/ is entered.
Output of
traefik version
: (What version of Traefik are you using?)What is your environment & configuration (arguments, toml, provider, platform, ...)?
Launch with:
docker stack deploy -c docker-stack.yml
If applicable, please paste the log output in DEBUG level (
--logLevel=DEBUG
switch)The text was updated successfully, but these errors were encountered: