hass-auth-header icon indicating copy to clipboard operation
hass-auth-header copied to clipboard

Published 20 hours ago verified publisher icon BeryJu

Help with Traefik and Authelia

Open Pauld-1 opened this issue 2 years ago • 4 comments

Hello,

I'll be grateful for assistance please.

I have Traefik and Authelia up and running. Using a basic WhoAmI service, the user name is provided in the header as "Remote-User: paul" as below (url's and IP redacted).

IP: 127.0.0.1
IP: 172.18.0.3
RemoteAddr: 172.18.0.4:36928
GET / HTTP/1.1
Host: whoami.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Cdn-Loop: cloudflare
Cf-Connecting-Ip: redacted
Cf-Ipcountry: GB
Cf-Ray: 808913071a7071fe-LHR
Cf-Visitor: {"scheme":"https"}
Cookie: cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^
Dnt: 1
Referer: https://login.redacted.com/
Remote-Name: paul
Remote-User: paul
Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.70.91.58
X-Forwarded-Host: whoami.redacted.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: a4229f013d36
X-Real-Ip: 172.70.91.58

This is the section from my Home Assistant configuration.yaml

http:
 use_x_forwarded_for: true
 trusted_proxies:
    - 172.0.0.0/8
    - 192.168.1.11/32 # This needs to be set to the IP of your reverse proxy
 auth_header:
    username_header: Remote-User

however in the debug log below (url's and IP redacted), Remote-User doesn't appear in the header and unsurprisingly "No header set" and "no matching user found" errors then occur

2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (UrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (FastUrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Add new login_flow route
2023-09-18 11:57:54.387 DEBUG (MainThread) [custom_components.auth_header] Injected auth_header provider
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('Host': 'ha.redacted.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36', 'Content-Length': '135', 'Accept': '*/*', 'Accept-Encoding': 'gzip', 'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8', 'Cdn-Loop': 'cloudflare', 'Cf-Connecting-Ip': 'redacted', 'Cf-Ipcountry': 'GB', 'Cf-Ray': '8089121bcd4771fe-LHR', 'Cf-Visitor': '{"scheme":"https"}', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^', 'Dnt': '1', 'Origin': 'https://ha.redacted.com', 'Sec-Ch-Ua': '"Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'X-Forwarded-For': '172.70.91.58', 'X-Forwarded-Host': 'ha.redacted.com', 'X-Forwarded-Port': '443', 'X-Forwarded-Proto': 'https', 'X-Forwarded-Server': 'a4229f013d36', 'X-Real-Ip': '172.70.91.58')>
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.1.11
2023-09-18 11:57:54.650 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header.headers] no matching user found

thanks in advance

Pauld-1 avatar Sep 18 '23 12:09 Pauld-1

add this to your settings

logger:
    default: info
    logs:
        custom_components.auth_header: debug

with that you'll see a log of all headers

BeryJu avatar Sep 18 '23 12:09 BeryJu

add this to your settings

logger:
    default: info
    logs:
        custom_components.auth_header: debug

with that you'll see a log of all headers

Thanks, I have done that and the debug log from Home Assistant is at the end of my first post, here's the formatted Home Assistant debug header which may be easier to read

2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
'Host': 'ha.redacted.com', 
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36', 
'Content-Length': '135', 
'Accept': '*/*', 
'Accept-Encoding': 'gzip', 
'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8', 
'Cdn-Loop': 'cloudflare', 
'Cf-Connecting-Ip': 'redacted', 
'Cf-Ipcountry': 'GB', 
'Cf-Ray': '8089121bcd4771fe-LHR', 
'Cf-Visitor': '{"scheme":"https"}', 
'Content-Type': 'text/plain;charset=UTF-8', 
'Cookie': 'cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^', 
'Dnt': '1', 
'Origin': 'https://ha.redacted.com', 
'Sec-Ch-Ua': '"Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"', 
'Sec-Ch-Ua-Mobile': '?0', 
'Sec-Ch-Ua-Platform': '"Windows"', 
'Sec-Fetch-Dest': 'empty', 
'Sec-Fetch-Mode': 'cors', 
'Sec-Fetch-Site': 'same-origin', 
'X-Forwarded-For': '172.70.91.58', 
'X-Forwarded-Host': 'ha.redacted.com', 
'X-Forwarded-Port': '443', 
'X-Forwarded-Proto': 'https', 
'X-Forwarded-Server': 'a4229f013d36', 
'X-Real-Ip': '172.70.91.58'
)>

"Remote-User: paul" doesn't appear

Pauld-1 avatar Sep 18 '23 13:09 Pauld-1

it looks like Home Assistant is not behind Authelia- the remote-user headers are not being added. Did you perhaps forget to add your Authelia middleware to your Home Assistant configuration in Traefik?

aroberts avatar Sep 30 '23 14:09 aroberts

Same problem, but I figured it out @Pauld-1.

When you are not logged into Authelia, the headers are not forwarded (kind of obvious). Unfortunately hass-auth-header doesn't forward (or is this traefik?) to the authentication backend (i.e. Authelia) to log in and just responds with an error.

After manually logging in to Authelia, I get the Remote-User header in hass-auth-header and I am logged in to HA. I'm not sure why you get different results for the WhoAmI image and HA - I can repo the same behavior with WhoAmI: No Remote-User header when not logged in (and no forward to the authentication backend) - after logging in to Authelia in the same browser session I get the authentication headers.

Note: I tried both the one_factor policy and the two_factor policy in Authelia for the authentication headers to work. Both work, but the process is always to first manually login.

DennisGaida avatar Feb 13 '24 15:02 DennisGaida