-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traefik-auth filter requires username but should not #2693
Comments
Sure it does not, but it is the case where a server makes to say a "handshake" (so it requires authentication, so send to user 401 response with auth-methods and authentication doesn't take place (normally occurred with next request. This is a standard behavior of the web-servers (resp. of http protocol). Also note #2286 for implementation details or a discussion about.
How so if no authentication is possible without to provide a user name? If you nevertheless want ban such attempts, you can extend the filter to find this as a failure. [traefik-auth]
failregex = %(known/failregex)s
^<HOST> \- \S+ \[\] \"(?:GET|POST|HEAD) [^\"]+\" 401\b
enabled = true |
According to the MDN doc, a 401 response is sent when invalid (or no) credentials are provided by the client (browsers behavior).
Please notice 401 responses does not embed any username: it's only a response sent by the server to the client asking for credentials. (It's used as a handshake by browsers, but it's not an handshake)
The username is provided by the client, but not logged by the server in the 401 response. Test case:
Log result:
In this example, the client sent wrong credentials and traefik did not logged any username.
Log result:
In this example, traefik logged the username when the client is successfully authenticated. I did not dig into the traefik loggging source code, but it seems traefik is only logging username when the client is fully authenticated. This behavior breaks the current filter and does not block bruteforce attacks.
We could adjust |
Hmm... Is it backend related issue?.. Does traefik using some backend in your configuration for an authentication?
Is user @crazy-max can you also confirm this behavior? And how it works at all on your environment? |
As for |
Basic auth middleware provided by traefik (https://docs.traefik.io/middlewares/basicauth/). Click on "Show details" in my first post, there is a complete configuration for v1 and v2.
Same behavior on both versions.
Here is a complete example: docker-compose.yml run it using
That's sad :( I think #2102 could help to solve this use case. |
OK, let's wait for @crazy-max's answer |
@sebres Looks like this is Traefik-related behavior indeed. @youtous Can you open an issue on Traefik repo about this? |
…mal`, `ddos`, `aggressive`) to handle the match of username differently: - `normal`: matches 401 with supplied username only - `ddos`: matches 401 without supplied username only - `aggressive`: matches 401 and any variant (with and without username) closes gh-2693
OK, we'll consider this as traefik issue now. Anyway in-between I extended the filter (6b90ca8) with parameter |
Additionally it matches any request method now (e. g. TRACE, PUT, etc pp). |
@youtous Looks like it's ifxed on Traefik side traefik/traefik#6827 |
Hi,
First of all, I would like to thank you for developing this software since many years 💯
Environment:
The issue:
Commit 7cdabdd introduced a new behavior on fail detection of 401 Unauthorized HTTP responses. An username must be present in order to match
Failregex
.Unfortunately, traefik does not always provide tested username.
This could lead in brute force attacks not detected.
Steps to reproduce
docker-compose.yml
as provided intraefik-auth.conf
filter.http://traefik.localhost.dv
and enter wrong credentials.cat ./tmp/logs/access.log | grep 401
fail2ban-regex '172.18.0.1 - - [17/Apr/2020:12:49:13 +0000] "GET / HTTP/1.1" 401 17 "-" "curl/7.69.1" 5 "Auth for frontend-Host-traefik-localhost-dv-0" "/" 0ms' /etc/fail2ban/filter.d/traefik-auth.conf
traefik-auth.conf
filter failed :Lines: 1 lines, 0 ignored, 0 matched, 1 missed
.Expected behavior
Matching.
Observed behavior
Not matching.
Any additional information
Tested on traefik 1.7 and 2.2, latest.
Can be solved by reverting commit 7cdabdd.
Configuration, dump and another helpful excerpts
Show details
docker-compose.traefik.v1.yml, start it with
docker-compose -f docker-compose.traefik.v1.yml up
docker-compose.traefik.v2.yml, start it with
docker-compose -f docker-compose.traefik.v2.yml up
fail2ban-regex '172.18.0.1 - - [17/Apr/2020:12:49:13 +0000] "GET / HTTP/1.1" 401 17 "-" "curl/7.69.1" 5 "Auth for frontend-Host-traefik-localhost-dv-0" "/" 0ms' /etc/fail2ban/filter.d/traefik-auth.conf
fail2ban-regex '172.18.0.1 - - [17/Apr/2020:13:15:41 +0000] "GET / HTTP/1.1" 401 17 "-" "-" 2 "whoami@docker" "-" 0ms' /etc/fail2ban/filter.d/traefik-alt.conf
The text was updated successfully, but these errors were encountered: