docker-firefox
docker-firefox copied to clipboard
jlesage
[Bug] Usage of SECURE_CONNECTION with a reverse proxy leads to 307 infinite redirect
Current Behavior
I am trying to use the WEB_AUTHENTICATION functionality. To do that I have to enable SECURE_CONNECTION.
As I'm using traefik as my reverse proxy which automatically provides a valid certificate, doing this doesn't make sense for me as this forces the use of self-signed certificates.
When now trying to access the application via the proxy, I'm getting infinite HTTP 307 redirects to the same page.
This is not the case when setting the SECURE_CONNECTION=0 variable.
Expected Behavior
Be able to use the web authentication functionality by providing certificates through a reverse proxy.
Steps To Reproduce
- Setup the container with the following env variables:
- SECURE_CONNECTION=1
- WEB_AUTHENTICATION=1
- WEB_AUTHENTICATION_USERNAME=user
- WEB_AUTHENTICATION_PASSWORD=password
- CONTAINER_DEBUG=1
- Setup a reverse proxy for the container:
- "traefik.http.routers.firefox.rule=Host(`firefox.example.com`)"
- "traefik.http.services.firefox.loadbalancer.server.port=5800"
- "traefik.http.routers.firefox.service=firefox"
- "traefik.http.routers.firefox.entrypoints=websecure"
- "traefik.http.routers.firefox.tls.certresolver=myresolver"
Environment
No response
Container creation
firefox:
image: jlesage/firefox:latest
container_name: firefox
environment:
- SECURE_CONNECTION=0
- WEB_AUTHENTICATION=1
- WEB_AUTHENTICATION_USERNAME=user
- WEB_AUTHENTICATION_PASSWORD=password
- CONTAINER_DEBUG=1
volumes:
- /mnt/storage/containers/firefox/config:/config
# ports:
# - 5800:5800
restart: unless-stopped
Container log
No specific output in the container log.
This is the nginx access log instead:
...
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
...
### Container inspect
_No response_
### Anything else?
_No response_
As I'm using traefik as my reverse proxy which automatically provides a valid certificate, doing this doesn't make sense for me as this forces the use of self-signed certificates.
The reverse proxy exposes valid certificate to the user. This is not related to the connection used between the reverse proxy and the container, where a self-signed certificate can be used without problem.
When now trying to access the application via the proxy, I'm getting infinite HTTP 307 redirects to the same page.
Reverse proxy with nginx works without issue, so I guess there is a configuration issue with Traefik. I'm not an expert with this reverse proxy, but can ou try to add the following label:
traefik.http.services.firefox.loadbalancer.server.scheme=https
Using
traefik.http.services.firefox.loadbalancer.server.scheme=https
made the server reachable again but I still get an Internal server error as your certificate is not valid.
Can you please provide a way to enable the WEB_AUTHENTICATION option without needing to enable SECURE_CONNECTION.
Just ignoring the certificate validity is not really an option for me.
Just ignoring the certificate validity is not really an option for me.
Why ?
Web authentication without a secure connection is not a good idea, because we don't want to pass credentials in clear over the network.
I still think in a scenario I am in it is fine and you should provide a way, for example a variable to allow it.
- The port of the container is not exposed.
- The service communicates through http only with the reverse proxy and the connection between the browser and the reverse proxy is encrypted.
- The communication between the reverse proxy and the container is http but is only running through an internal docker network.
Ignoring the certificate validity is not an option as traefik does not provide an easy way to do it, there only seems to be a global setting that I don't want to activate for obvious reasons.
Ignoring the certificate validity is not an option as traefik does not provide an easy way to do it, there only seems to be a global setting that I don't want to activate for obvious reasons.
According to the following link, you can create a serversTransport and assign it to your service.
https://community.traefik.io/t/https-reverse-proxy-to-https-service-do-i-need-new-certs/21142/4
This has the issue of not being supported through the cli configuration so you can't use it with a single compose file without additional files. This could be a problem for users of hosting services where only a single compose file is allowed.
I have implemented it like this now and it's working so ty :) You can close this issue if you want to as it is solved for me.
Instructions on how to solve:
- Add a new volume to your docker compose file for traefik.
volumes:
- "/path/to/config:/config"
- Add a config file with the following content to
/path/to/config/config.yml
http:
serversTransports:
firefox:
insecureSkipVerify: true
- Add the following configuration to your firefox container
labels:
- "traefik.http.services.firefox.loadbalancer.serverstransport=firefox@file"
i'm having the same issues with caddy instead of traefik. any way to make the web authentication work with caddy?
I use traefik and adding traefik.http.services.firefox.loadbalancer.server.scheme=https made it work for me both via IP and through my domain name.
I ran into this problem when trying to use the free HTTPS certificate provided by my VPS. The VPS expects the docker app to use http, they seem to handle ssl termination themselves. Unfortunately their management page does not provide any options I can set to ignore the self signed certificate checks, just a subdomain and app port number. It would be nice to have another environment variable that disables the SECURE_CONNECTION enforcement for this edge case.
