-
-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loop when authorising user? #380
Comments
The authorisation url i've set up in my github application is |
I've decided to try adding a different provider and the issue still remains. When i use Google it loops back to the google login page |
I ended up being able to fix it by adding the auth middleware to the auth service as briefly mentioned in #362. I strongly recommend updating the examples in the example folder since the current stacks are incompatible with swarm. My working docker stack looks like this: services:
traefik:
image: traefik:2.11
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmmode
- --providers.file.filename=/config/dynamic.yml
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.ssh.address=:2222
- [email protected]
- --certificatesresolvers.le.acme.storage=/config/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --accesslog
- --log
- --api
ports:
- 80:80
- 443:443
- 2222:2222
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik:/config
networks:
- traefik
environment:
- LEGO_DISABLE_CNAME_SUPPORT=true
- [email protected]
- CF_API_KEY=xxx
- CLOUDFLARE_PROPAGATION_TIMEOUT=3600
deploy:
placement:
constraints:
- node.role == manager
labels:
- traefik.enable=true
- traefik.docker.network=traefik
# Middleware to add security headers
- traefik.http.middlewares.extended-headers.headers.accesscontrolallowheaders=*
- traefik.http.middlewares.extended-headers.headers.contentSecurityPolicy=upgrade-insecure-requests
- traefik.http.middlewares.extended-headers.headers.referrerPolicy=no-referrer-when-downgrade
# Catch all http requests and redirect to https
- traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=http
- traefik.http.routers.http-catchall.middlewares=https-redirect
- traefik.http.routers.http-catchall.priority=1
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# Traefik dashboard
- traefik.http.routers.traefik-https.rule=Host(`traefik.xxx.xxx`)
- traefik.http.routers.traefik-https.entrypoints=https
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=le
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.middlewares=traefik-auth
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.middlewares.traefik-auth.basicAuth.usersFile=/config/users
# Redirect yyy.yyy to xxx.xxx
- traefik.http.routers.redirect-https.rule=Host(`yyy.yyy`)
- traefik.http.routers.redirect-https.entrypoints=https
- traefik.http.routers.redirect-https.middlewares=redirect-dev
- traefik.http.routers.redirect-https.tls=true
- traefik.http.routers.redirect-https.tls.certresolver=le
- traefik.http.middlewares.redirect-dev.redirectregex.regex=yyy.yyy
- traefik.http.middlewares.redirect-dev.redirectregex.replacement=xxx.xxx
- traefik.http.middlewares.redirect-dev.redirectregex.permanent=true
auth:
image: thomseddon/traefik-forward-auth:2
command:
- --match-whitelist-or-domain
environment:
- LOG_LEVEL=debug
- LOG_FORMAT=pretty
# - DOMAIN=xxx.xxx
- COOKIE_DOMAIN=xxx.xxx,yyy.yyy
- AUTH_HOST=auth.xxx.xxx
- DEFAULT_PROVIDER=google
- SECRET=xxx
- PROVIDERS_GOOGLE_CLIENT_ID=xxx
- PROVIDERS_GOOGLE_CLIENT_SECRET=xxx
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://github.com/login/oauth/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
- PROVIDERS_GENERIC_OAUTH_USER_URL=https://api.github.com/user
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=xxx
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=xxx
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.auth.rule=Host(`auth.xxx.xxx`)
- traefik.http.routers.auth.entrypoints=https
- traefik.http.routers.auth.tls=true
- traefik.http.routers.auth.tls.certresolver=le
- traefik.http.routers.auth.service=auth
- traefik.http.routers.auth.middlewares=auth
- traefik.http.middlewares.auth.forwardauth.address=http://auth:4181
- traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-Forwarded-User
- traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true
- traefik.http.services.auth.loadbalancer.server.port=4181
whoami:
image: containous/whoami
networks:
- traefik
deploy:
mode: replicated
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.whoami.rule=Host(`whoami.xxx.xxx`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.tls.certresolver=le
- traefik.http.routers.whoami.middlewares=auth
- traefik.http.services.whoami.loadbalancer.server.port=80 |
I've tried to follow the setup and examples as closely as i can, and look through the issues as much as possible but i can't seem to get the forward auth container to work properly. Everything works up until the redirect back to the auth service, which sends me back to the login page and eventually enters a loop until the provider has had enough and logs me back out. I'm probably missing something, anyone willing to help me out?
Docker compose:
Please note xxx.xxx is the same domain, but i've decided to redact it. yyy.yyy is a similar domain which also routes to the same traefik instance
The text was updated successfully, but these errors were encountered: