Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

traefik leaks HTTP authentication data to backends #2805

Closed
fxkr opened this issue Feb 4, 2018 · 9 comments
Closed

traefik leaks HTTP authentication data to backends #2805

fxkr opened this issue Feb 4, 2018 · 9 comments
Labels
area/authentication kind/enhancement a new or improved feature. priority/P3 maybe status/5-frozen-due-to-age
Milestone
1.7

Comments

@fxkr
Copy link

fxkr commented Feb 4, 2018
edited

Do you want to request a feature or report a bug?

Could be both

What did you do?

Configure HTTP authentication at the entry point. Open it in browser. Enter valid user/password. Watch traefik->backend communication with wireshark.

What I actually wanted to do is get GoCD to work behind Traefik, but use Traefik's HTTP authentication feature to prevent access to GoCD to reduce the attack surface

What did you expect to see?

  • "Authorization" header not included in traefik->backend communication, since authentication was requrested by Traefik, not the backend.

(This issue is not about making GoCD work. I know I can configure same user/password for Traefik as for GoCD, or remove HTTP auth from Traefik and just rely on GoCD's.)

What did you see?

  • tcpdump
GET /go/home HTTP/1.1
Host: ...
User-Agent: ...
Accept: ...
Accept-Encoding: gzip, deflate
Accept-Language: de,en-US;q=0.9,en;q=0.8
Authorization: Basic (removed)    # <---------------- talking about this
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
X-Forwarded-For: ...
X-Forwarded-Host: ...
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 12a69b36f2a1
X-Real-Ip: ...
  • After entering the correct Traefik credentials, GoCD would give me an error page since it detects that the Authorization header is present, interprets them as GoCD credentials (which they are not), and shows a Forbidden page.

Why does this matter

  1. Obviously, it may interfere with backend apps as in this case
  2. Security problem; credentials should not be exposed to backend apps unnecessarily. Ideally it would be opt-in. At the very least I would expect it to be possible to disable this, and mentioned in the docs.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.5.1
Codename:     cancoillotte
Go version:   go1.9.3
Built:        2018-01-29_02:14:02PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

...
[entryPoints]
    [entryPoints.http]       
    address = ":80"
    [entryPoints.http.auth.basic]        
    users = ["user:..."]
...
@ViViDboarder
Copy link
Contributor

I haven't tested, but I wonder if fixing could be as simple as adding r.Header.Del("Authorization") above https://github.com/containous/traefik/blob/master/middlewares/auth/authenticator.go#L99

Probably same for Digest.

kautsig added a commit to kautsig/traefik that referenced this issue May 24, 2018
@kautsig
Strip Authorization header after authentication, fixes traefik#2805
8f96e7c
@kautsig
Copy link

kautsig commented May 24, 2018

Just checked @ViViDboarder 's suggestion, works nicely for me so far. I'm neither a go programmer nor traefik expert, so the change might be too naive, e.g. you might want to make this configurable so it does not break existing installations.

@kachkaev
Copy link
Contributor

kachkaev commented Aug 1, 2018

Is this something that has been closed by #3606? Similar issue: #3448.

@ldez
Copy link
Member

ldez commented Aug 1, 2018

Closed by #3606

@ldez ldez closed this as completed Aug 1, 2018
@ldez ldez added this to the 1.7 milestone Aug 1, 2018
@riker09
Copy link

riker09 commented Feb 15, 2019

@fxkr Did you ever manage to get GoCD behind Traefik working? I was hoping for some guides on the internet but my research has hit dead ends...

@fxkr
Copy link
Author

fxkr commented Feb 15, 2019

@riker09 tbh Apart from this issue it was workig fine I think, and a fix for this issue has been merged, but I have not tested it. But I can't tell for sure anymore, and I'm not running this combination at the moment. I doubt any guides for this specific deployment scenario exist. Unless there's further info (logs etc.) I'd start with tcpdump between GoCD and Traefik to figure out where it goes wrong.

@riker09
Copy link

riker09 commented Feb 15, 2019

Thanks for your quick response. Yeah, I was looking for an easy way. Guess I have to do more debugging.

@riker09
Copy link

riker09 commented Feb 15, 2019

Übrigens: Das SSL Zertifikat für https://fxkr.net/ ist abgelaufen. :)

@riker09
Copy link

riker09 commented Feb 15, 2019

Found my mistake: I had the HTTP basic auth defined in the entrypoint, but kept the removeHeader = true within the frontend definition. This effectively removed the userFile definition from the entrypoint and Traefik was unable to authenticate any users because it did not know any.

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/authentication kind/enhancement a new or improved feature. priority/P3 maybe status/5-frozen-due-to-age
Projects
None yet
Milestone
1.7
Development

No branches or pull requests
7 participants
@ViViDboarder @fxkr @riker09 @kachkaev @kautsig @ldez @traefiker