Reverse Proxy Login broken in version 0.6.10 - 9418045 #1820
Comments
rg9400
changed the title
|
Could you please tell me, which version you think is working. As I'm not aware of any change regarding this. |
|
It is definitely working in So I guess it broke a while ago, but I only recently noticed |
|
I could tear it down to the merge of the development branch on October 10th 2020 (0.6.9 and lower should work) |
|
The commit to store UI settings in flask session for guest user seems to break it (September 27th 7pm on develop). Looks like it's only not working if there is a request with a invalid username in header before. |
|
I think I fixed it, but I need some time to do some more tests |
|
noticed the same today when I wanted to get the new docker container. 0.6.9 works well for me. thank you a lot @OzzieIsaacs ! |
Updated testresults Fix Filepicker (absolute instead of abs)
|
Mine doesn't seem to be fixed on 0.6.11 Beta - 0f83f99. The way I am testing is by logging out. If RP login was working, it wouldn't actually let me log out and go to the login page, it would keep logging me back in. Indeed, that's how 0.6.7 - 0735fb1 was working, as well as how RP login works in Grafana. So it still seems like something is messing with it. |
|
I tried it with Firefox and also automated with python-requests on the newest commit. It works as you described it (both versions). After clicking on logout get back logged in and you are on the main start page. I used Modify Header Value (HTTP Headers) addon to add up the needed header value |
|
I'm trying in Firefox and Microsoft Edge and unfortunately cannot get it to work after trying several hours. |
|
@kenjibailly which version you are using? 0.6.10 isn‘t working, 0.6.11 Beta should work |
|
Yeah I cannot get it to work, tried multiple different browsers (Firefox, Chrome, Edge) as well as hardcoding the header for my username into the reverse proxy. If I revert to 0735fb1, it works perfectly, and it breaks at 2ad329e. Looking through the commit history, there is a lot that happened between those two releases, including stuff related to hardening the security. I wonder if this is preventing the headers from being set properly in the first place? I am trying to add it via NGINX by adding something like this in my reverse proxy location block: location ^~ /calibre {
auth_request /auth-4;
include /config/nginx/proxy.conf;
set $theme_app calibreweb;
set $upstream_app calibre-web;
set $upstream_port 8083;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Script-Name /calibre;
auth_request_set $auth_user $upstream_http_x_organizr_user;
proxy_set_header X-CW-USER $auth_user;
# auth_request_set $auth_email $upstream_http_x_organizr_email;
# proxy_set_header X-CW-EMAIL $auth_email;
include /config/nginx/themes/themepark.conf;
}It fails even if I hardcode the header to my username vs trying to grab it via the variable from the upstream auth_request. Currently on 0.6.11 Beta - 88078d6 |
|
@OzzieIsaacs I had a problem when selecting nightly as update channel the container would go to a server internal error state. @rg9400 Are you perhaps using Cloudflare with a proxied CNAME? That's what didn't work for me at least, I had to set it to DNS Only. |
|
I am using Cloudflare and their CDN, but the issue remained after switching it to DNS only. It does seem like there is something with the way I have implemented it that is causing potential issues, but the fact that it works with an earlier version (and with other apps like Grafana), indicates that it is related to something that was added in between 0.6.7 and 0.6.8. Could you maybe share how you are doing it using NGINX proxy manager? |
|
@rg9400 Sure, what I did in nginx proxy manager is very simple actually. That's it, if you cannot get it to work I can help you over Discord. Xyroxis#6703 |
|
How are you actually forwarding the reverse proxy login details? I can get Calibre to work behind reverse proxy (using Swag), but cannot get it to auto login based on the headers. I tried subdomain as well (was using subfolder), but still no luck. Might ping you on discord |
|
After doing some further testing, this works on subdomain (calibre.domain.com), but fails on subdirectories (domain.com/calibre). Nothing else is changed between the two except for the below header which is required for subdir.
Both work fine on 0.6.7 |
|
I just tried it and it also fails for me on subdirectories. Subdomain is fine. |
|
@OzzieIsaacs any plan to fix this for subdirectory, or is the recommendation to just switch to subdomain? Subdomains work for me, just have some slight nuances, so just wanted to verify before switching over. |
|
This seems to be fixed on 0.6.12 Beta - bc876a1 - 2021-02-18T17:02:58+01:00. Appreciate the help! |
|
For what it's worth, I think there's actually a bug in the programme logic of Flask Login (which this fix works around) |
Describe the bug/problem
Previously, you could set a header for reverse proxy login, and if sent via a request, Calibre-Web would auto log you in based on that header. After updating to version 1/17/21, 9:28 AM, this no longer seems to work. I get the login screen no matter what despite not changing the headers at all.
To Reproduce
Steps to reproduce the behavior:
Logfile
Doesn't seem to log the failure to use the header
Expected behavior
Should log you in automatically based on the header. Even before, it would log in, but it usually required a refresh of the page vs logging in the user automatically on their first visit.
Screenshots
N/A
Environment (please complete the following information):
Additional context
Using SWAG for reverse proxy and reverse proxy headers. Location block below
The text was updated successfully, but these errors were encountered: