Authentication keeps asking for password at random intervals

[thernstig]

Do you want to request a feature or report a bug?

Bug

What did you do?

I am trying to access https://127.0.0.1/kibana/ with digest authentication and TLS enabled. Entering the user and password works. But sometimes when click around inside the webapp (kibana) it randomly/suddenly asks for password again.

What did you expect to see?

To only need to enter password the first time https://127.0.0.1/kibana/ is entered.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.7.5
Codename:     maroilles
Go version:   go1.11.2
Built:        2018-12-03_11:01:00AM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

version: "3.6"
services:
  traefik:
    image: traefik:1.7 # use traefik:alpine if you need sh to investigate faults
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.port=8080
        - traefik.frontend.rule=PathPrefixStrip:/traefik
    command:
        - --docker
        - --docker.swarmMode
        - --docker.network=scrapy_traefiknet
        - --api
        - "--defaultentrypoints=http,https"
        - "--entryPoints=Name:http Address::80 Redirect.EntryPoint:https"
        - >-
          --entryPoints=Name:https Address::443 TLS Auth.Digest.Removeheader:true
          Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - traefiknet
elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.4.2
    deploy:
      update_config:
        order: start-first
    environment:
      - discovery.type=single-node
      # - bootstrap.memory_lock=true  # Not supported by docker swarm yet, see issue #81
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
    ulimits: # Not supported by docker swarm yet, see issue #81
      memlock:
        soft: -1
        hard: -1
    volumes:
      - esdata1:/usr/share/elasticsearch/data
    networks:
      - esnet
    ports:
      - "9200:9200"
  kibana:
    image: docker.elastic.co/kibana/kibana:6.4.2
    deploy:
      labels:
        - traefik.port=5601
        - traefik.frontend.rule=PathPrefix:/kibana
    environment:
      - SERVER_BASEPATH=/kibana
      - SERVER_REWRITEBASEPATH=true # remove in kibana 7.x (as true will be default)
    networks:
      - esnet
      - traefiknet
volumes:
  esdata1:
networks:
  esnet:
  traefiknet:

Launch with: docker stack deploy -c docker-stack.yml

If applicable, please paste the log output in DEBUG level (--logLevel=DEBUG switch)

[er1z]

Confirm this. I've configured RabbitMQ under /tools/rabbitmq and it continuously ask me for HTTP Basic password.

What's going on?

[thernstig]

As @ldez marked this as a question I suspect it "can happen" for some valid reason, even though I do not understand how. So for me it sounds like a bug still.

[er1z]

I suspect that common thing is combining PathPrefix rule with authentication.

[thernstig]

@geraldcroes This is still a valid issue and it happens for other as well, so I am unsure this is actually a question and in actually a bug.

[thernstig]

@dduportal Nice that someone finally acknowledges this!

[dduportal]

Hi @thernstig, we re-opened this issue, as the bot mistakenly closed it. But as we cannot really reproduce it, the status is still bug/possible.

We would be interested to see if this issue still occurs for you:

• With latest 1.7.14 version (as the initial issue was with 1.7.5)
• Also with the new 2.0 version (v2.0.0-rc2 currently) , which requires configuration adaptation (see https://docs.traefik.io/v2.0/)

[hco]

I am currently playing around with traefik as an GKE ingress controller, and I do have the same issue.

I am using the helm chart and traefik 1.7.14.
This happens on multiple ingresses, but one of them is the traefik-dashboard, which was setup by the helm chart. This is an excerpt of my values.yaml:

dashboard:
  enabled: true
  domain: dashboard.foo.bar
  serviceType: NodePort
  ingress:
    annotations:
      kubernetes.io/ingress.class: traefik
      ingress.kubernetes.io/auth-type: digest
      ingress.kubernetes.io/auth-secret: foobar
      certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    tls:
      - hosts:
        - dashboard.foo.bar
        secretName: traefik-dashboard-cert

Maybe this helps you understand/debug the issue.

[andrewsav-bt]

Maybe related: https://community.containo.us/t/http-digest-auth-continually-repeating-auth-prompts-on-chrome-ie-but-not-safari/2936/5?u=zespri

[bastian-f]

I can confirm this issue with traefik 1.7.2, traefik v2.0.0-rc3, traefik 2.1 and traefik:latest. I already put a question on stackoverflow because I could not find this issue before.

Edit: What is not really clear to me is if this issue is with using the digest authentication middleware of traefik or if the service already has digest authentication? In my case it already has, different from the related link posted by @AndrewSav where the traefik middleware is used. Should I post a new issue?

I tried to use the let's encrypt Docker image from linuxserver.io as a which uses nginx as reverse proxy and now it works. Another indicator that this probably is a bug.

[thernstig]

@geraldcroes Any input on this issue?

[hickst]

Any movement on this issue? It is blocking me from using Traefik at all. I am trying to use a Traefik container (v2.1.6) as a reverse proxy which routes HTTP to two other docker containers, on the same docker swarm network, using a PathPrefix rule (i.e. if '/dals' then the request goes to one container and if '/cuts' then it goes to the other container). Using the digest auth middleware, Traefik correctly prompts for the login on the first request but also on all subsequent requests from the web page to that same server (to fetch content images, Javascript, etc). Both backend services are using HTTP without authentication. One server is Tomcat the other is a Flask/Gunicorn app.

[thernstig]

@dduportal Anything you think you might have time trying to fix soon?

[dduportal]

Hi @thernstig , I am not working neither contributing on this project, so I won't be able to help.

However, if you can provide a reproduction case, this would help the maintainers.

[thernstig]

@dduportal thanks for the reply, I believe @hco added some code above that can reproduce it. I now also noticed that @mpl was assigned to this 👍

[hickst]

I'm not sure if this is random or not. I turned on DEBUG-level logging and increased swarm mode refresh to sixty seconds (default = 15 secs, according to the docs) providers.docker.swarmModeRefreshSeconds=60. It sure looks like every 60 seconds the middleware is recreated entirely! Here is a sample of the log entries which repeat every 60 seconds:

time="2020-03-11T19:11:33Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=cuts@docker serviceName=cuts
time="2020-03-11T19:11:33Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=cuts@docker serviceName=cuts
time="2020-03-11T19:11:33Z" level=debug msg="Creating server 0 http://10.0.35.10:8000" entryPointName=web routerName=cuts@docker serviceName=cuts serverName=0
time="2020-03-11T19:11:33Z" level=debug msg="Added outgoing tracing middleware cuts" middlewareType=TracingForwarder entryPointName=web routerName=cuts@docker middlewareName=tracing
time="2020-03-11T19:11:33Z" level=debug msg="Creating middleware" middlewareName=cuts-auth@docker middlewareType=digestAuth routerName=cuts@docker entryPointName=web
time="2020-03-11T19:11:33Z" level=debug msg="Adding tracing to middleware" routerName=cuts@docker middlewareName=cuts-auth@docker entryPointName=web

time="2020-03-11T19:11:33Z" level=debug msg="Creating middleware" routerName=dals@docker serviceName=dals middlewareName=pipelining middlewareType=Pipelining entryPointName=web
time="2020-03-11T19:11:33Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=dals@docker serviceName=dals
time="2020-03-11T19:11:33Z" level=debug msg="Creating server 0 http://10.0.35.8:8080" serverName=0 entryPointName=web routerName=dals@docker serviceName=dals
time="2020-03-11T19:11:33Z" level=debug msg="Added outgoing tracing middleware dals" entryPointName=web routerName=dals@docker middlewareName=tracing middlewareType=TracingForwarder
time="2020-03-11T19:11:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=dals@docker middlewareName=dals-auth@docker middlewareType=digestAuth
time="2020-03-11T19:11:33Z" level=debug msg="Adding tracing to middleware" middlewareName=dals-auth@docker entryPointName=web routerName=dals@docker

So now I can "login" (answer the digest-auth prompt challenge) and I am admitted to the protected page. Then I wait 60 seconds (until the log shows the the middleware has been recreated) and then I refresh the protected page, whereupon the digest-auth prompt appears again and I have to "login" again!

Here's my entire docker-compose.yml file. The redis, pgdb, and celery containers are included for completeness but digest-auth on the cuts and dals containers is the issue:

version: "3.7"

services:
  traefik:
    image: traefik:v2.1.6
    command:
      - "--accesslog=true"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--entrypoints.web.address=:80"
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=vos_net"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.swarmModeRefreshSeconds=60"
    ports:
      - 80:80
      - 7777:8080
    volumes:
      - /vos/config:/vos/config
      - /var/run/docker.sock:/var/run/docker.sock


  redis:
    image: redis:5.0-alpine
    command: redis-server --requirepass devpassword
    deploy:
      labels:
        - "traefik.enable=false"
      restart_policy:
        condition: none
    volumes:
      - redis:/data
    ports:
      - "6379:6379"


  pgdb:
    image: vosdb:devel
    deploy:
      labels:
        - "traefik.enable=false"
      restart_policy:
        condition: on-failure
    volumes:
      - pgdata:/var/lib/postgresql/data
    ports:
      - "5432:5432"


  celery:
    image: cuts:devel
    command: celery worker -l debug -A cuts.blueprints.img.tasks
    deploy:
      labels:
        - "traefik.enable=false"
      restart_policy:
        condition: none
    depends_on:
      - redis


  dals:
    image: dals:devel
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.dals-auth.digestauth.usersFile=/vos/config/users.dig"
        - "traefik.http.routers.dals.entryPoints=web"
        - "traefik.http.routers.dals.middlewares=dals-auth"
        - "traefik.http.routers.dals.rule=PathPrefix(`/dals`)"
        - "traefik.http.services.dals.loadbalancer.server.port=8080"
      restart_policy:
        condition: on-failure
    volumes:
      - /vos/config:/vos/config
      - ./images:/vos/images
    ports:
      - "8080:8080"
    depends_on:
      - pgdb


  cuts:
    image: cuts:devel
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.cuts-auth.digestauth.usersFile=/vos/config/users.dig"
        - "traefik.http.routers.cuts.entryPoints=web"
        - "traefik.http.routers.cuts.middlewares=cuts-auth"
        - "traefik.http.routers.cuts.rule=PathPrefix(`/cuts`)"
        - "traefik.http.services.cuts.loadbalancer.server.port=8000"
      restart_policy:
        condition: none
    environment:
      PYTHONUNBUFFERED: "true"
    volumes:
      - /vos/config:/vos/config
      - ./images:/vos/images:ro
    ports:
      - "8000:8000"
    depends_on:
      - celery


networks:
  default:
    name: vos_net
    attachable: true

volumes:
  pgdata:
  redis:

[traefiker]

Closed by #6569.