HTTP basic auth & admin panel

[nanom1t]

Hi,

I'm using HTTPS basic auth for Nginx and it works well for other parts of my app, but not for centrifugo. So before going to centrifugo admin I need to enter login/password for my domain (nginx basic auth):

Then I go to centrifugo login page and see login form. After login into admin panel nginx create new window for basic auth (but I've already authorized). Also I see an error in browser console:

/centrifugo/admin/auth:1 Failed to load resource: the server responded with a status of 400 (Bad Request)

Nginx requires password again and again. This happens only for centrifugo. Also I tried to enable insecure_admin in config.json, but it does not help.

$ centrifugo version
Centrifugo v2.0.1 (Go version: go1.11.1)

config.json:

{
    "name": "server1",
    "secret": "******",
    "address": "",
    "port": 8001,
    "engine": "memory",
    "history_size": "0",
    "history_lifetime": "0",
    "history_drop_inactive": true,
    "debug": false,
    "web": true,
    "admin": true,
    "admin_password": "admin",
    "admin_secret": "******",
    "insecure_admin": true
}

nginx config:

server {
    listen 80;
    listen [::]:80;

    server_name node1.site.com;

    return 301 https://$host$request_uri;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name node1.site.com;
    root /var/www/node1.site.com/www/;
    index index.html index.php;

    # SSL certificate
    ssl_certificate /etc/letsencrypt/live/node1.site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/node1.site.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_dhparam /var/www/ssl/ca/dhparam4096.pem;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # SSL OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /var/www/ssl/ca/letsencrypt.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

   # SSL Strict-Transport-Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Basic auth system
    auth_basic "Restricted";
    auth_basic_user_file /var/www/node1.site.com/www/.htpasswd;

    location / {
        try_files $uri $uri/ /index.html =404;
    }
          
   location /centrifugo/ {
        allow 127.0.0.1;

        rewrite ^/centrifugo/(.*) /$1 break;
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_pass http://127.0.0.1:8001;
    }

    location /centrifugo/socket {
        allow 127.0.0.1;

        rewrite ^/centrifugo(.*) $1 break;
        proxy_next_upstream error;
        proxy_buffering off;
        keepalive_timeout 65;
        proxy_pass http://127.0.0.1:8001;
        proxy_read_timeout 60s;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    ...

Thanks

[FZambia]

Hello @nanom1t !

The option is called admin_insecure in Centrifugo v2, not insecure_admin, see https://centrifugal.github.io/centrifugo/server/admin/

Please try it out.

[nanom1t]

@FZambia Thank you for the response.

I've change insecure_admin to 'admin_insecure' and now centifugo does not require password to login into admin panel. But the nginx still requires authorization again and again as shown on screenshot

It looks like something wrong with nginx config and I'm not authorized to execute POST requests to https://node1.site.com/centrifugo/admin/api (401 Unauthorized).

[nanom1t]

It looks like I've found the issue. Nginx send Authorization header with each request if basic auth is enabled:

Authorization: Basic bW9uaXRvcxNDMzMDdzJA==

Centrifugo overrite this header and send it with each API request to https://node1.site.com/centrifugo/admin/api:

Authorization: token insecure

Is this a reason why I get 401 Unauthorized error from Nginx?

P.S: There is no this problem in version 1.8.0.

[FZambia]

Yes, I suppose the reason is that frontend app sets Authorization header itself thus not allowing browser to set basic auth header. I think we can simply do not send any headers in admin insecure mode. Will you have a chance to test Centrifugo from master branch (go run main.go) after I make changes or you need release to try?

[nanom1t]

I will try to test on VM.

[FZambia]

Ok, thanks - I reproduced this locally, seems like fix works but will be really nice if you confirm for your case.

[nanom1t]

@FZambia I've cloned repo from master branch and built it with go build. It works on my VM in insecure mode and does not send Authorization header. In secure mode it still overwrites Authorization header. Thanks

[FZambia]

Does this solve a problem for you?

[nanom1t]

Yes, thanks.

[nanom1t]

When will be next release for Ubuntu on packagecloud.io?

[FZambia]

Will try to make it during this week, btw packagecloud.io requires update of GPG key for Centrifugo repository - this means that users will need to re-run repo installation script (https://packagecloud.io/FZambia/centrifugo/install) to update. This is a required step unfortunatelly - I will write about this in release notes.

[nanom1t]

Ok, thank you.