Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Middleware-chain] "basicAuth" behind "error-pages" does not work #7302

Closed
hexxone opened this issue Sep 17, 2020 · 1 comment
Closed

[Middleware-chain] "basicAuth" behind "error-pages" does not work #7302

hexxone opened this issue Sep 17, 2020 · 1 comment
Labels
area/middleware kind/question a question status/5-frozen-due-to-age
Projects
v2

Comments

@hexxone
Copy link

hexxone commented Sep 17, 2020
edited

Do you want to request a feature or report a bug?

Bug

What did you do?

I tried using a middleware chain with "error-pages" before "basicauth".

Even though it's nothing critical, and can be worked around, this caused the "bug" I described below.

What did you expect to see?

I expected to see a Basic-Auth "browser prompt" as usual (when only using basic auth).

And a "custom" 401 error page, once a user clicks on "abort" / does not authenticate.

What did you see instead?

Only the custom 401 error page is displayed instantly, without asking for a password.

Note: when using "basic-auth" middleware before "error-pages", it will show the browser-prompt but only display the default 401 page (after clicking abort).

Output of traefik version: (What version of Traefik are you using?)

Version:      2.2.11
Codename:     chevrotin
Go version:   go1.14.8
Built:        2020-09-07T14:12:48Z
OS/Arch:      linux/amd64

via docker-compose

What is your environment & configuration (arguments, toml, provider, platform, ...)?

using docker-compose latest & traefik latest

            - --log.level=INFO
            - --log.filePath=etc/var/log/traefik.log
            - --accessLog.filePath=/var/log/access.log
            - --accessLog.filters.statusCodes=400-499

            - --providers.docker=true
            - --providers.docker.exposedbydefault=false
            - --providers.docker.network=reverseproxy

            - "--metrics.prometheus=true"
            - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"

            - --api
            - --api.insecure=true
            - --entrypoints.traefik.address=:8888

            - --entrypoints.web.address=:80
            - --entrypoints.web.http.redirections.entrypoint.to=websecure
            - --entrypoints.web.http.redirections.entrypoint.scheme=https

            - --entrypoints.websecure.address=:443
            - --entrypoints.websecure.http.tls.certresolver=myresolver

            - --certificatesresolvers.myresolver.acme.dnschallenge=true
            - --certificatesresolvers.myresolver.acme.email=XXXXXXXXX@XXXX.com
            - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
            - --certificatesresolvers.myresolver.acme.storage=acme.json
            - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare

my Labels on the traefik container:


            traefik.enable: "true"
            traefik.http.routers.traefik.rule: Host(`traefik.XXXXXXX`)
            traefik.http.routers.traefik.entrypoints: websecure
            traefik.http.routers.traefik.service: api@internal
            # chain global & local middleware
            traefik.http.routers.traefik.middlewares: traefik-chain
            traefik.http.middlewares.traefik-chain.chain.middlewares: main-chain@docker,traefik-auth     # <--- This order is causing the issue, reverse it for workaround
            # "local" auth settings
            traefik.http.middlewares.traefik-auth.basicauth.users: admin:$$XXXXXXXXXXXXXX
            # listen port
            traefik.http.services.traefik.loadbalancer.server.port: 8080

my Labels on the error-pages container:

            traefik.enable: "true"
            # use as "fallback" for any non-registered services (with priority below normal)+
            traefik.http.routers.error-pages.rule: HostRegexp(`{host:.+}`)
            traefik.http.routers.error-pages.priority: 1
            traefik.http.routers.error-pages.entrypoints: websecure
            # define main chain globally
            traefik.http.routers.error-pages.middlewares: main-chain@docker
            # "global" chain settings
            traefik.http.middlewares.main-chain.chain.middlewares: error-pages@docker,main-ratelimit@docker
            # "global" rate limiting settings
            traefik.http.middlewares.main-ratelimit.ratelimit.average: 200
            traefik.http.middlewares.main-ratelimit.ratelimit.period: 1m
            traefik.http.middlewares.main-ratelimit.ratelimit.burst: 100
            # "global" error middleware settings
            traefik.http.middlewares.error-pages.errors.status: 400-599
            traefik.http.middlewares.error-pages.errors.service: error-pages@docker
            traefik.http.middlewares.error-pages.errors.query: /{status}.html
            # listen port
            traefik.http.services.error-pages.loadbalancer.server.port: 8080
@ldez ldez added area/middleware kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. and removed status/0-needs-triage labels Sep 17, 2020
@ldez ldez added this to issues in v2 via automation Sep 17, 2020
@jspdown
Copy link
Contributor

jspdown commented Nov 20, 2020

@hexxone Thanks for your interest in Traefik.

Your browser decides to ask you for credentials only if it received a 401 with the response header WWW-Authenticate: Basic. The behavior you are seeing is perfectly fine.

In your error-pages middleware you are catching 401 errors. So on the first request sent by your browser, the error middleware will forward the request to the error page. Therefore, your browser never receives a 401 response code and will never ask for username/password.

You can fix this by moving the errors middleware behind the basicAuth in your chain.

I'm going to close the issue.

@ldez ldez closed this as completed Nov 20, 2020
v2 automation moved this from issues to Done Nov 20, 2020
@ldez ldez added kind/question a question and removed kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. labels Nov 20, 2020
@traefik traefik locked and limited conversation to collaborators Dec 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/middleware kind/question a question status/5-frozen-due-to-age
Projects
No open projects
v2
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jspdown @hexxone @ldez @traefiker