Comments (5)
james-d-elliott
commented on May 24, 2024
Can you show some detail about how you've configured traefik? This issue doesn't occur with our examples but I wonder if maybe it's communicating over IPv6 and we've not accounted for this somehow.
Also can you show the output of the traefik/whoami container when running it behind your traefik install with the same middlewares, specifically we're looking for the X-Forwarded-For header.
from authelia.
gemorgan
commented on May 24, 2024
I don't have the traefik/whoami container spun up on this unraid system. I'll see if I can figure out how to get it running in unraid. Or maybe the traefik conf files will tell you what you need to know. FYI This was all working until a system rebuild with a move from 192.168.0.0/24 subnet to 192.168.1.0/24.
traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
# forwardedHeaders:
# trustedIPs: &trustedIps
# # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
# - 173.245.48.0/20
http:
redirections:
entryPoint:
to: https
scheme: https
# HTTPS endpoint, with domain wildcard
https:
address: :443
# forwardedHeaders:
# # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
# trustedIPs: *trustedIps
http:
tls:
# Generate a wildcard domain certificate
certResolver: letsencrypt
domains:
- main: somedomain.com
sans:
- '*.somedomain.com'
middlewares:
- securityHeaders@file
providers:
providersThrottleDuration: 2s
# File provider for connecting things that are outside of docker / defining middleware
file:
filename: /etc/traefik/fileConfig.yml
watch: true
# Docker provider for connecting all apps that are inside of the docker network
docker:
watch: true
network: custom # Add Your Docker Network Name Here
# Default host rule to containername.domain.example
defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.somedomain.com`)" # Replace with your domain
swarmModeRefreshSeconds: 15s
exposedByDefault: false
endpoint: "tcp://dockersocket:2375"
# Enable traefik ui
api:
dashboard: true
insecure: true
# Log level INFO|DEBUG|ERROR
log:
level: INFO
# Use letsencrypt to generate ssl certificates
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
fileConfig.yml
http:
## EXTERNAL ROUTING ##
routers:
## SERVICES ##
services:
## MIDDLEWARES ##
middlewares:
# Only Allow Local networks
local-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32 # localhost
- 192.168.1.1/24 # LAN Subnet
auth:
forwardauth:
address: http://authelia:9091/api/verify?rd=https://authelia.somedomain.com/
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
# Authelia basic auth guard
auth-basic:
forwardauth:
address: http://authelia:9091/api/verify?auth=basic
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-EmailHeaders
# Security headers
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex,nofollow,none,noarchive,nosnippet,notranslate,noimageindex"
X-Forwarded-Proto: "https"
server: ""
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-For: "${clientip}"
sslProxyHeaders:
X-Forwarded-Proto: "https"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
from authelia.
james-d-elliott
commented on May 24, 2024
Try commenting X-Forwarded-For: "${clientip}". I suspect this is sending an empty header which is likely the cause. The whoami container is super easy to setup btw.
from authelia.
gemorgan
commented on May 24, 2024
Thanks James. That allowed the registration to continue and I feel bad now. For the life of me I couldn't track down any reason for it failing with the relatively light configs I have. Sorry to "bug" you with this non-bug.
Now I need to re-test my other proxied apps. I put that line there for something and naturally didn't think to document it so I have no idea why now.
from authelia.
james-d-elliott
commented on May 24, 2024
No drama! Glad we figured it out.
from authelia.
Related Issues (20)
- Authelia shows "Wrong credentials"-Info when a user was banned HOT 2
- Bypass all domains without apply the two-factor rules HOT 3
- Allow specifying cookies config with environment variables HOT 4
- Connection impossible HOT 5
- wrong error message for old config of "host" value HOT 2
- Authelia should fail to start with a clear error message when it encounters invalid YAML configuration HOT 2
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- HA-Proxy Ingress: *.cluster.local is not under the protected domain HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
- Troubles connecting to redis with secret HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.