flame icon indicating copy to clipboard operation
flame copied to clipboard

Published 20 hours ago verified publisher icon pawelmalak

[BUG] Traefik authentication bug

Open modem7 opened this issue 3 years ago • 4 comments
trafficstars

Deployment details:

  • App version [e.g. v1.7.4]: 2.0.1
  • Platform [e.g. amd64, arm64, arm/v7]: Docker
  • Docker image tag [e.g. latest, multiarch]: latest

Bug description:

When setting up forward auth within Traefik for the /settings or /settings/app page, this doesn't come into effect. But if you visit the page directly, it works.

Steps to reproduce:

    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.flame-rtr.entrypoints=https"
      - "traefik.http.routers.flame-admin.entrypoints=https"
      - "traefik.http.routers.flame-rtr.rule=Host(`flame.$DOMAINNAME`)"
      - "traefik.http.routers.flame-admin.rule=Host(`flame.$DOMAINNAME`) && Path(`/settings`)"
      ## Middlewares
      - "traefik.http.routers.flame-rtr.middlewares=chain-no-auth@file, traefik-error-pages" # No Authentication
      - "traefik.http.routers.flame-admin.middlewares=chain-oauth@file, traefik-error-pages" # Authelia for Admin
      ## HTTP Services
      - "traefik.http.routers.flame-rtr.service=flame-svc"
      - "traefik.http.routers.flame-admin.service=flame-admin-svc"
      - "traefik.http.services.flame-svc.loadbalancer.server.port=5005"
      - "traefik.http.services.flame-admin-svc.loadbalancer.server.port=5005"

As you can see, there is authentication placed upon the /settings path, but if you click on the cog, you're able to access the pages without issues (same for /settings/app).

I suspect it may be caused by how the app switches from one page to another? Total guess, however.

URL to test: https://hastebin.modem7.com/emike (putting it on hastebin to reduce bot scraping chances)

modem7 avatar Nov 22 '21 20:11 modem7

Look like a problem with traefik or authelia. Traefik should be forward to Authelia before request send it to flame. When you open the /settings is there anything send to Authelia from Traefik?

ekremparlak avatar Nov 23 '21 22:11 ekremparlak

So, in this case, I'm only securing the subpath.

If I secure the entire subdomain, it works fine, if I go flame.mydomain.com/settings (or settings/app, whichever I choose) manually, it works.

However, if I go to settings or settings/app via the cog, it does not trigger a new page load which is what I suspect is occurring.

modem7 avatar Nov 23 '21 22:11 modem7

When you open settings/app from settings page it doesn't actually open the settings/app. You can see it from the developer tools. When i enter the password, my browser send /api/auth a post request. If you could secure that path it may work.

ekremparlak avatar Nov 23 '21 22:11 ekremparlak

Unfortunately no go (good shout though! Didn't think of checking that for some dumb reason).

Trying /api/auth triggers nothing useful, and also tried /api/config but still no go.

modem7 avatar Nov 23 '21 23:11 modem7