Loop when authorising user? #380
Comments
|
The authorisation url i've set up in my github application is |
|
I've decided to try adding a different provider and the issue still remains. When i use Google it loops back to the google login page |
|
I ended up being able to fix it by adding the auth middleware to the auth service as briefly mentioned in #362. I strongly recommend updating the examples in the example folder since the current stacks are incompatible with swarm. My working docker stack looks like this: services:
traefik:
image: traefik:2.11
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --providers.file.filename=/config/dynamic.yml
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.ssh.address=:2222
- --certificatesresolvers.le.acme.email=xxx@xxx.xxx
- --certificatesresolvers.le.acme.storage=/config/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --accesslog
- --log
- --api
ports:
- 80:80
- 443:443
- 2222:2222
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik:/config
networks:
- traefik
environment:
- LEGO_DISABLE_CNAME_SUPPORT=true
- CF_API_EMAIL=xxx@xxx.xxx
- CF_API_KEY=xxx
- CLOUDFLARE_PROPAGATION_TIMEOUT=3600
deploy:
placement:
constraints:
- node.role == manager
labels:
- traefik.enable=true
- traefik.docker.network=traefik
# Middleware to add security headers
- traefik.http.middlewares.extended-headers.headers.accesscontrolallowheaders=*
- traefik.http.middlewares.extended-headers.headers.contentSecurityPolicy=upgrade-insecure-requests
- traefik.http.middlewares.extended-headers.headers.referrerPolicy=no-referrer-when-downgrade
# Catch all http requests and redirect to https
- traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=http
- traefik.http.routers.http-catchall.middlewares=https-redirect
- traefik.http.routers.http-catchall.priority=1
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# Traefik dashboard
- traefik.http.routers.traefik-https.rule=Host(`traefik.xxx.xxx`)
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=le
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.middlewares=traefik-auth
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.middlewares.traefik-auth.basicAuth.usersFile=/config/users
# Redirect yyy.yyy to xxx.xxx
- traefik.http.routers.redirect-https.rule=Host(`yyy.yyy`)
- traefik.http.routers.redirect-https.entrypoints=https
- traefik.http.routers.redirect-https.middlewares=redirect-dev
- traefik.http.routers.redirect-https.tls=true
- traefik.http.routers.redirect-https.tls.certresolver=le
- traefik.http.middlewares.redirect-dev.redirectregex.regex=yyy.yyy
- traefik.http.middlewares.redirect-dev.redirectregex.replacement=xxx.xxx
- traefik.http.middlewares.redirect-dev.redirectregex.permanent=true
auth:
image: thomseddon/traefik-forward-auth:2
command:
- --match-whitelist-or-domain
environment:
- LOG_LEVEL=debug
- LOG_FORMAT=pretty
# - DOMAIN=xxx.xxx
- COOKIE_DOMAIN=xxx.xxx,yyy.yyy
- AUTH_HOST=auth.xxx.xxx
- DEFAULT_PROVIDER=google
- SECRET=xxx
- PROVIDERS_GOOGLE_CLIENT_ID=xxx
- PROVIDERS_GOOGLE_CLIENT_SECRET=xxx
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://github.com/login/oauth/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
- PROVIDERS_GENERIC_OAUTH_USER_URL=https://api.github.com/user
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=xxx
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=xxx
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.auth.rule=Host(`auth.xxx.xxx`)
- traefik.http.routers.auth.entrypoints=https
- traefik.http.routers.auth.tls=true
- traefik.http.routers.auth.tls.certresolver=le
- traefik.http.routers.auth.service=auth
- traefik.http.routers.auth.middlewares=auth
- traefik.http.middlewares.auth.forwardauth.address=http://auth:4181
- traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true
- traefik.http.services.auth.loadbalancer.server.port=4181
whoami:
image: containous/whoami
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.whoami.rule=Host(`whoami.xxx.xxx`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.tls.certresolver=le
- traefik.http.routers.whoami.middlewares=auth
- traefik.http.services.whoami.loadbalancer.server.port=80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've tried to follow the setup and examples as closely as i can, and look through the issues as much as possible but i can't seem to get the forward auth container to work properly. Everything works up until the redirect back to the auth service, which sends me back to the login page and eventually enters a loop until the provider has had enough and logs me back out. I'm probably missing something, anyone willing to help me out?
Docker compose:
Please note xxx.xxx is the same domain, but i've decided to redact it. yyy.yyy is a similar domain which also routes to the same traefik instance
The text was updated successfully, but these errors were encountered: