redimp
Login page bugs
Version: 2.8.0 (v2.8.0-0-g19167e4)
- I set the Read Access to "Register," but when someone accesses the website without being logged in, it shows "Access Denied" and doesn't automatically redirect to the
login page.
Hey @towerstreet, thanks for reporting this. I can not reproduce this, my log shows
127.0.0.1 - - [19/Jan/2025 19:31:02] "GET /Home HTTP/1.1" 302 -
127.0.0.1 - - [19/Jan/2025 19:31:02] "GET /-/login HTTP/1.1" 200 -
in the code there is a forward in case a user has no read permissions:
https://github.com/redimp/otterwiki/blob/85b69eabb0dfe51d0d077f0c46343ebc46f9cb92/otterwiki/wiki.py#L522-L535
and a test that covers this:
https://github.com/redimp/otterwiki/blob/85b69eabb0dfe51d0d077f0c46343ebc46f9cb92/tests/test_auth.py#L211-L224
Can you double check with e.g. an icgonito window and navigating to your site?
I add -/login to http://mydomain/,then I can get to it and login. Without it, the Forbiddon page always shown.
Hmm, I need more insight. Can you please run a
curl -s -v https://mydomain.com -o /dev/null 2>&1 | grep -e "^[<>]"
and post the output? e.g. curl -s -v https://dev.otterwiki.com -o /dev/null 2>&1 | grep -e "^[<>]"
> GET / HTTP/2
> Host: dev.otterwiki.com
> User-Agent: curl/8.7.1
> Accept: */*
>
< HTTP/2 302
< date: Sun, 19 Jan 2025 22:44:31 GMT
< content-type: text/html; charset=utf-8
< content-length: 203
< location: /-/login
< vary: Cookie
< set-cookie: session=.eJwNxlEKQEAQBuCr_M0zDuAUXiVp2oadDKudlSR35-n7HppmY4_i1A4PofwQm-RSH1k3zjdV1KcTxmFFiYJD8qbumnZHSeAQxP9FdVy6aoPOhF1gadG9ofEd3w8DoCO4.Z42ATw.wQRqvcQnJa7fKOhbTJgymQdOSC4; HttpOnly; Path=/
< strict-transport-security: max-age=15724800; includeSubDomains
> GET / HTTP/1.1 > Host: 192.168.31.150:8888 > User-Agent: curl/8.5.0 > Accept: / > < HTTP/1.1 403 FORBIDDEN < Server: nginx/1.22.1 < Date: Mon, 20 Jan 2025 02:40:49 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 213 < Connection: keep-alive < Vary: Cookie <
Yes, this confirms what you observe: The nginx throws the 403 directly.
- ~~Which version of An Otter Wiki are you running? (on the last line of https://mydomain.com/-/about) the replying nginx is
1.22.1... and the latest otterwiki nginx is1.25.3.. is this the reverse proxy sending the 403?~~ Sorry, my mistake. My local build is running nginx1.25.3. - Can you check the logs of the pod when you run into the 403? e.g. via
curl -s -L -v https://hostname/ -o /dev/null 2>&1 | grep -e "^[<>]"
Looks like this to me:
172.17.0.1 - - [20/Jan/2025:16:28:39 +0000] "GET / HTTP/1.1" 302 204 "-" "curl/8.7.1" "-"
172.17.0.1 - - [20/Jan/2025:16:28:45 +0000] "GET / HTTP/1.1" 302 204 "-" "curl/8.7.1" "-"
172.17.0.1 - - [20/Jan/2025:16:28:45 +0000] "GET /-/login HTTP/1.1" 200 5369 "-" "curl/8.7.1" "-"
curl -s -L -v https://192.168.31.150:8843 -o /dev/null 2>&1 | grep -e "^[<>]"
Nothing to show.
Hmm, if nothing shows up .. hard so say if the requests reaches the actual nginx/uwsgi and who throws the 403 🤔
192.168.31.150:8843 is the otterwiki pod or the reverse proxy?
When you run just a one shot instance via docker run --rm 8082:80 redimp/otterwiki:2 on 192.168.31.150, can you reach http://192.168.31.150:8082 ?
curl -s -L -v https://192.168.31.150:8843 -o /dev/null 2>&1 | grep -e "^[<>]"
Show nothing.
curl -s -L -v http://192.168.31.150:8888 -o /dev/null 2>&1 | grep -e "^[<>]"
Shows:
> GET / HTTP/1.1
> Host: 192.168.31.150:8888
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.22.1
< Date: Tue, 21 Jan 2025 08:42:23 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 213
< Connection: keep-alive
< Vary: Cookie
<
Nginx access.log:
192.168.31.15 - - [21/Jan/2025:16:59:53 +0800] "GET / HTTP/1.1" 403 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"
192.168.31.15 - - [21/Jan/2025:16:59:53 +0800] "GET /favicon.ico HTTP/1.1" 499 0 "https://192.168.31.150:8843/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"
- My
docker-compose.yml
services:
otterwiki:
image: redimp/otterwiki:latest
container_name: wiki
restart: unless-stopped
ports:
- 8888:80
volumes:
- /home/towerstreet/Storage/Docker/Otterwiki/Data:/app-data
environment:
SITE_NAME: Wiki
- My nginx reverse proxy conf
server {
listen 8843 ssl;
server_name Otterwiki;
ssl_certificate /home/towerstreet/Storage/Cert/cert.pem;
ssl_certificate_key /home/towerstreet/Storage/Cert/key.pem;
location / {
proxy_pass http://localhost:8888;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Hmm, if nothing shows up .. hard so say if the requests reaches the actual nginx/uwsgi and who throws the 403 🤔
192.168.31.150:8843is the otterwiki pod or the reverse proxy?
- reverse proxy
When you run just a one shot instance via
docker run --rm 8082:80 redimp/otterwiki:2on192.168.31.150, can you reachhttp://192.168.31.150:8082?
- Can reach.
Can you check if you can reach the non one shot otterwiki directly? The question is: Does it work if you bypass the reverse proxy?
Can you check if you can reach the non one shot otterwiki directly? The question is: Does it work if you bypass the reverse proxy?
docker run --rm -p 8082:80 redimp/otterwiki:2,everything's OK.http://192.168.31.150:8888andhttps://192.168.31.150:8843both show the Forbidden when I set the "register" Read Access and logout.- If set the "anonymous" Read Access and logout,everything's OK like the non one shot otterwiki.
Thanks for the effort .. I'm currently out of ideas what is going wrong.
I configured https://dev.otterwiki.com/ to require registered access and it forwards me as it should to /-/login.
I have to set up a test environment where I replicate the set-up with your nginx config as reverse proxy.