dokku-http-auth
dokku-http-auth copied to clipboard
Published
20 hours ago •
dokku
dokku
Permission errors when activate http auth on app
Steps to Reproduce
$ dokku http-auth:enable APP_NAME user password
Actual Results
Error 500 when trying to access to app. Inspecting the nginx error logs I get the following message:
... *15 open() "/home/dokku/APP_NAME/htpasswd" failed (13: Permission denied)
Expected Results
HTTP Auth enabled on site.
How to resolve
After investigating the issue, I found that the folder /home/dokku has rwxr-x--- permissions instead of rwxr-x--x. If I change the permissions and then enable or create the http auth, its works as expected.
Environment Information
dokku report APP_NAME output
-----> uname: Linux XXXXX 5.15.0-40-generic #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
-----> memory:
total used free shared buff/cache available
Mem: 7761 2888 1519 4 3353 4567
Swap: 0 0 0
-----> docker version:
Client: Docker Engine - Community
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 23:02:46 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:00:51 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.6
GitCommit: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc:
Version: 1.1.2
GitCommit: v1.1.2-0-ga916309
docker-init:
Version: 0.19.0
GitCommit: de40ad0
-----> docker daemon info:
Client:
Context: default
Debug Mode: true
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
compose: Docker Compose (Docker Inc., v2.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 8
Running: 8
Paused: 0
Stopped: 0
Images: 68
Server Version: 20.10.17
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.2-0-ga916309
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.15.0-40-generic
Operating System: Ubuntu 22.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.579GiB
Name: XXXX
ID: P6NH:MIYE:3JV6:YTYK:MLVG:UCP2:ID6B:6PW2:IMUK:EBPX:7URP:BAIC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
-----> git version: git version 2.34.1
-----> sigil version: 0.9.0build+bc921b7
-----> herokuish version:
herokuish: 0.5.36
buildpacks:
heroku-buildpack-multi v1.2.0
heroku-buildpack-ruby v240
heroku-buildpack-nodejs v196
heroku-buildpack-clojure v87
heroku-buildpack-python v211
heroku-buildpack-java v70
heroku-buildpack-gradle v36
heroku-buildpack-scala v92
heroku-buildpack-play v26
heroku-buildpack-php v218
heroku-buildpack-go v162
heroku-buildpack-nginx v16
buildpack-null v3
-----> dokku version: dokku version 0.27.6
-----> plugn version: plugn: 0.12.0build+3a27594
-----> dokku plugins:
00_dokku-standard 0.27.6 enabled dokku core standard plugin
20_events 0.27.6 enabled dokku core events logging plugin
app-json 0.27.6 enabled dokku core app-json plugin
apps 0.27.6 enabled dokku core apps plugin
builder 0.27.6 enabled dokku core builder plugin
builder-dockerfile 0.27.6 enabled dokku core builder-dockerfile plugin
builder-herokuish 0.27.6 enabled dokku core builder-herokuish plugin
builder-null 0.27.6 enabled dokku core builder-null plugin
builder-pack 0.27.6 enabled dokku core builder-pack plugin
buildpacks 0.27.6 enabled dokku core buildpacks plugin
certs 0.27.6 enabled dokku core certificate management plugin
checks 0.27.6 enabled dokku core checks plugin
common 0.27.6 enabled dokku core common plugin
config 0.27.6 enabled dokku core config plugin
cron 0.27.6 enabled dokku core cron plugin
docker-options 0.27.6 enabled dokku core docker-options plugin
domains 0.27.6 enabled dokku core domains plugin
elasticsearch 1.20.3 enabled dokku elasticsearch service plugin
enter 0.27.6 enabled dokku core enter plugin
git 0.27.6 enabled dokku core git plugin
http-auth 0.10.0 enabled HTTP authentication for apps
letsencrypt 0.16.3 enabled Automated installation of let's encrypt TLS certificates
logs 0.27.6 enabled dokku core logs plugin
mysql 1.19.5 enabled dokku mysql service plugin
network 0.27.6 enabled dokku core network plugin
nginx-vhosts 0.27.6 enabled dokku core nginx-vhosts plugin
plugin 0.27.6 enabled dokku core plugin plugin
proxy 0.27.6 enabled dokku core proxy plugin
ps 0.27.6 enabled dokku core ps plugin
redis 1.20.0 enabled dokku redis service plugin
registry 0.27.6 enabled dokku core registry plugin
repo 0.27.6 enabled dokku core repo plugin
resource 0.27.6 enabled dokku core resource plugin
run 0.27.6 enabled dokku core run plugin
scheduler 0.27.6 enabled dokku core scheduler plugin
scheduler-docker-local 0.27.6 enabled dokku core scheduler-docker-local plugin
scheduler-null 0.27.6 enabled dokku core scheduler-null plugin
shell 0.27.6 enabled dokku core shell plugin
ssh-keys 0.27.6 enabled dokku core ssh-keys plugin
storage 0.27.6 enabled dokku core storage plugin
trace 0.27.6 enabled dokku core trace plugin
=====> sidekiq app-json information
App json computed selected: app.json
App json global selected: app.json
App json selected:
=====> sidekiq app information
App created at: 1656499876
App deploy source: sidekiq
App deploy source metadata: sidekiq
App dir: /home/dokku/sidekiq
App locked: false
=====> sidekiq builder information
Builder build dir:
Builder computed build dir:
Builder computed selected:
Builder global build dir:
Builder global selected:
Builder selected:
=====> sidekiq builder-dockerfile information
Builder dockerfile computed dockerfile path: Dockerfile
Builder dockerfile global dockerfile path: Dockerfile
Builder dockerfile dockerfile path:
=====> sidekiq builder-pack information
Builder pack computed projecttoml path: project.toml
Builder pack global projecttoml path: project.toml
Builder pack projecttoml path:
=====> sidekiq buildpacks information
Buildpacks computed stack: gliderlabs/herokuish:latest-20
Buildpacks global stack:
Buildpacks list:
Buildpacks stack:
=====> sidekiq ssl information
Ssl dir: /home/dokku/sidekiq/tls
Ssl enabled: true
Ssl hostnames: XXXXXX
Ssl expires at: Sep 27 07:46:45 2022 GMT
Ssl issuer: C = US, O = Let's Encrypt, CN = R3
Ssl starts at: Jun 29 07:46:46 2022 GMT
Ssl subject: subject=CN = XXXXXX
Ssl verified: self signed
=====> sidekiq checks information
Checks disabled list: none
Checks skipped list: none
=====> sidekiq cron information
Cron task count: 0
=====> sidekiq docker options information
Docker options build: --link dokku.redis.redis:dokku-redis-redis
Docker options deploy: --link dokku.redis.redis:dokku-redis-redis --restart=on-failure:10
Docker options run: --link dokku.redis.redis:dokku-redis-redis
=====> sidekiq domains information
Domains app enabled: true
Domains app vhosts: XXXXXXX
Domains global enabled: true
Domains global vhosts: XXXXXX
=====> sidekiq git information
Git deploy branch: master
Git global deploy branch: master
Git keep git dir: false
Git rev env var: GIT_REV
Git sha: 6cc14d9
Git last updated at: 1656492376
=====> sidekiq http-auth information
Http auth enabled: true
Http auth allowed ips:
Http auth users: sidekiq
=====> sidekiq letsencrypt information
Letsencrypt active: true
Letsencrypt autorenew: false
Letsencrypt email: XXXXXXXX
Letsencrypt expiration: 1664264805
=====> sidekiq logs information
Logs computed max size: 10m
Logs global max size: 10m
Logs global vector sink:
Logs max size:
Logs vector sink:
=====> sidekiq network information
Network attach post create:
Network attach post deploy:
Network bind all interfaces: false
Network computed attach post create:
Network computed attach post deploy:
Network computed bind all interfaces: false
Network computed initial network:
Network computed tld:
Network global attach post create:
Network global attach post deploy:
Network global bind all interfaces: false
Network global initial network:
Network global tld:
Network initial network:
Network static web listener:
Network tld:
Network web listeners: 172.17.0.5:5000
=====> sidekiq nginx information
Nginx access log format:
Nginx access log path: /var/log/nginx/sidekiq-access.log
Nginx bind address ipv4:
Nginx bind address ipv6: ::
Nginx client max body size:
Nginx disable custom config: false
Nginx error log path: /var/log/nginx/sidekiq-error.log
Nginx global hsts: true
Nginx computed hsts: true
Nginx hsts:
Nginx hsts include subdomains: true
Nginx hsts max age: 15724800
Nginx hsts preload: false
Nginx proxy buffer size: 4096
Nginx proxy buffering: on
Nginx proxy buffers: 8 4096
Nginx proxy busy buffers size: 8192
Nginx proxy read timeout: 60s
Nginx last visited at: 1656624315
Nginx x forwarded for value: $remote_addr
Nginx x forwarded port value: $server_port
Nginx x forwarded proto value: $scheme
Nginx x forwarded ssl:
=====> sidekiq proxy information
Proxy enabled: true
Proxy port map: http:80:5000 https:443:5000
Proxy type: nginx
=====> sidekiq ps information
Deployed: true
Processes: 1
Ps can scale: true
Ps computed procfile path: Procfile
Ps global procfile path: Procfile
Ps procfile path:
Ps restart policy: on-failure:10
Restore: true
Running: true
Status web 1: running (CID: c9bf6b0d84f)
=====> sidekiq registry information
Registry computed image repo: dokku/sidekiq
Registry computed push on release: false
Registry computed server:
Registry global push on release:
Registry global server:
Registry image repo:
Registry push on release:
Registry server:
Registry tag version:
=====> sidekiq resource information
=====> sidekiq scheduler information
Scheduler computed selected: docker-local
Scheduler global selected: docker-local
Scheduler selected:
=====> sidekiq scheduler-docker-local information
Scheduler docker local disable chown:
Scheduler docker local parallel schedule count:
=====> sidekiq storage information
Storage build mounts:
Storage deploy mounts:
Storage run mounts:
How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:
Dokku version 0.27.6 installed using bootstrap.sh on a fresh installation of Ubuntu 22.04 LTS on physical server.
Additional information
The nginx configuration (if applicable) via dokku nginx:show-config APP_NAME
server {
listen [::]:80;
listen 80;
server_name XXXXX;
access_log /var/log/nginx/sidekiq-access.log;
error_log /var/log/nginx/sidekiq-error.log;
include /home/dokku/sidekiq/nginx.conf.d/*.conf;
location / {
return 301 https://$host:443$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name XXXXX;
access_log /var/log/nginx/sidekiq-access.log;
error_log /var/log/nginx/sidekiq-error.log;
ssl_certificate /home/dokku/sidekiq/tls/server.crt;
ssl_certificate_key /home/dokku/sidekiq/tls/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
keepalive_timeout 70;
location / {
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level 6;
proxy_pass http://sidekiq-5000;
http2_push_preload on;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_buffer_size 4096;
proxy_buffering on;
proxy_buffers 8 4096;
proxy_busy_buffers_size 8192;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Start $msec;
}
include /home/dokku/sidekiq/nginx.conf.d/*.conf;
error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
location /400-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 404 /404-error.html;
location /404-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
location /500-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 502 /502-error.html;
location /502-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
}
upstream sidekiq-5000 {
server 172.17.0.5:5000;
}
Content of /home/dokku/sidekiq/nginx.conf.d/http-auth.conf
auth_basic "Restricted";
auth_basic_user_file /home/dokku/sidekiq/htpasswd;
Not that I know!
For example, in DigitalOcean droplet with Ubuntu 22.04 LTS
$ apt update
$ apt upgrade
$ wget https://raw.githubusercontent.com/dokku/dokku/v0.27.6/bootstrap.sh
$ DOKKU_TAG=v0.27.6 bash bootstrap.sh
$ ls -la /home/
total 12
drwxr-xr-x 3 root root 4096 Jul 1 13:54 .
drwxr-xr-x 19 root root 4096 Jul 1 13:46 ..
drwxr-x--- 5 dokku dokku 4096 Jul 1 13:55 dokku
As you can see, dokku directory has rwxr-x--- permissions instead of rwxr-x--x.
For debug, some printed data generated during dokku install process:
Setting up dokku user
Adding user `dokku' ...
Adding new group `dokku' (1000) ...
Adding new user `dokku' (1000) with group `dokku' ...
Creating home directory `/home/dokku' ...
Copying files from `/etc/skel' ...
docker:x:999:
However, the same procedure in Ubuntu 20.04.4 LTS:
ls -la /home/
total 12
drwxr-xr-x 3 root root 4096 Jul 1 14:13 .
drwxr-xr-x 19 root root 4096 Jul 1 14:06 ..
drwxr-xr-x 4 dokku dokku 4096 Jul 1 14:13 dokku
had the same issue on Ubuntu 22.04 LTS.
some chmod +x dokku in the home directory made this plugin work again.
thanks @javierav for investigating and pointing to the right direction.
Since Ubuntu 21.04 the home folder for new created users has 750 as default permissions: https://ubuntu.com/blog/private-home-directories-for-ubuntu-21-04
I think this is something that should be checked by dokku during installation and user creation @josegonzalez
Ugh this makes me think we need to actively migrate all the nginx config over to /etc/nginx somewhere instead of keeping it in the app repo. I'll start working on that, but it's definitely a BC break and a large one for Dokku. Blah.
I ran into the same issue on Ubuntu 22.04.1 LTS.
chmod +x dokku worked for me as well.
Thanks!
same issue, and solved doing cd /home/; chmod +x dokku as you mentioned above.
Thanks for sharing, and hopefully it will be solved soon :)
