traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard

Published 20 hours ago verified publisher icon thomseddon

400 Bad Request || too many forward_auth cookies in request

Open dalanmiller opened this issue 4 years ago • 8 comments 

400 Bad Request

Request Header Or Cookie Too Large

A few of my containers get sad when the _foward_auth_csrf_* cookies reach a certain number and fail to respond until I clear the cookies for that domain.

I can't recall the issue with this I ran into before but wouldn't it make more sense to upsert the cookie in such a way that it updates if existing and creates if it doesn't exist?

Screen Shot 2021-02-16 at 09 28 09

dalanmiller avatar Feb 15 '21 22:02 dalanmiller

Ran into this a while ago, too.

SuperSandro2000 avatar Feb 17 '21 13:02 SuperSandro2000

Frequently running into this now after updating from v2 to v2.2, if anyone has pointers for fixing it I'd be hugely appreciative.

SalmonSays avatar Mar 11 '21 19:03 SalmonSays

Hmm, the CSRF cookies should be cleared during the login or within an hour - can you post your full config?

thomseddon avatar Apr 19 '21 20:04 thomseddon

Is there any movement on this? I'm also having the error

stevietv avatar Dec 05 '21 19:12 stevietv

hit this as well. a new csrf token is generated on every request that passes through the forward auth middleware, which per the author isn't of much concern, i'm guessing they're not being cleared though.

kvncrw avatar Jan 03 '22 14:01 kvncrw

I am running into this issue as well.

hagak avatar May 15 '22 14:05 hagak

I'm hitting this issue as well. It's only affecting my nextcloud instance due to nginx having a smaller header/cookie limit than other services I have. Clearing cookies resolves it.

I know you asked for a config a while ago @thomseddon so here's mine. Domains, emails, client IDs, and secrets replaced with capital-lettered placeholders. This is just the oauth config stanza from a docker compose I use for traefik. I can provide more if you need it. This auth flow is used for about 27 different services (all in sub-domains)...not sure if that's what's leading to it (does each need it's own CSRF cookie or is it shared in the top-level domain?).

  oauth:
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - default
    hostname: oauth
    command:
      - --cookie-domain=MYDOMAIN
      - --auth-host=oauth.MYDOMAIN
      - --url-path=/_oauth
      - --secret=SECRET
#      - --log-level=debug
      - --log-level=info
      - --log-format=text
      - --lifetime=86400 # 1 day
      - --default-action=auth
      - --default-provider=google
      # Restrict to google workspace accounts
      - --domain=MYDOMAIN
      # Whitelist my personal email though...
      - --whitelist=MYEMAIL
      - --match-whitelist-or-domain
      # Google auth config
      - --providers.google.client-id=MYCLIENTID
      - --providers.google.client-secret=MYSECRET
    environment:
      - TZ=US/Eastern
    expose:
      - 4181/tcp
    labels:
      # provide google oauth middleware redirect for services (use this: 'oauth' to enable on services)
      - "traefik.http.middlewares.oauth.forwardAuth.address=http://oauth:4181"
      - "traefik.http.middlewares.oauth.forwardAuth.authResponseHeaders=X-Forward-User"

      # oauth website itself
      - "traefik.enable=true"
      - "traefik.http.routers.oauth.rule=Host(`oauth.MYDOMAIN`)"
      - "traefik.http.routers.oauth.tls=true"
      - "traefik.http.routers.oauth.tls.certresolver=leprod"
      - "traefik.http.routers.oauth.entrypoints=websecure"
      # WTF do we need this? See here: https://github.com/thomseddon/traefik-forward-auth/issues/11#issuecomment-885445763
      - "traefik.http.routers.oauth.middlewares=oauth"

      # Watchtower auto-update
      - "com.centurylinklabs.watchtower.scope=auto-update"

stuckj avatar Feb 27 '24 15:02 stuckj