Comments (10)
@mogggggg Tell me if you need something ;) . I can answer you but cannot fix the code now :)
I will patch the Forwarded
thing in 1 week.
from s3-proxy.
Hello,
Thanks for your issue and comment. I'm happy to see that this app is useful for other people :) .
I'm sorry I cannot see where is the problem. Your configuration looks good to me.
Can you paste me a full log from app start to the problem you encountered ? You can redact it if you want.
I will try to reproduce the Google authentication setup to check by myself but I won't have the time to do it before end of next week.
Note: You can omit the redirect url configuration if you want. This will be calculated by s3-proxy automatically if you don't set it.
Regards,
Oxyno-zeta
EDIT: If you are in https, maybe you should enable the cookie secure option in the provider options. See here . I cannot ensure that will work, just an idea. I will still need the log if this isn't solving your issue.
from s3-proxy.
Thanks for the super quick reply!
I just tried with cookieSecure: true
and unfortunately I still have the same problem.
Here's the logs from an auth attempt (I've removed the entries for the healthchecks being hit):
time="2021-09-28T07:23:59Z" level=debug msg="Configuration successfully loaded and logger configured"
time="2021-09-28T07:23:59Z" level=info msg="Starting s3-proxy version: v4.1.0 (git commit: f2d7f61) built on 2021-07-18T21:34:47Z"
time="2021-09-28T07:23:59Z" level=info msg="Load S3 clients for all targets"
time="2021-09-28T07:23:59Z" level=info msg="Server listening on :8080"
time="2021-09-28T07:23:59Z" level=info msg="Internal server listening on :9090"
time="2021-09-28T07:24:43Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="authentication with oidc detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Try to get Authorization header from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Try get auth cookie from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Can't load auth cookie" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=error msg="No auth header or cookie detected, redirect to oidc login" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 resp_bytes_length=151 resp_elapsed_ms=1.657353 resp_status=307 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000013 uri="http://<my_domain>/auth/google?rd=http%3A%2F%2F<my_domain>%2F0b7d2cc1-434c-492a-96fd-17ab0772afb1%2Ftest.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000013 resp_bytes_length=429 resp_elapsed_ms=0.183384 resp_status=302 uri="http://<my_domain>/auth/google?rd=http%3A%2F%2F<my_domain>%2F0b7d2cc1-434c-492a-96fd-17ab0772afb1%2Ftest.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:47Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="Successful authentication detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 resp_bytes_length=125 resp_elapsed_ms=391.710717 resp_status=307 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="authentication with oidc detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="Try to get Authorization header from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="Try get auth cookie from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="OIDC User authenticated: <email>@<domain>" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="OIDC user <email>@<domain> authorized" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:51Z" level=info msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 resp_bytes_length=5 resp_elapsed_ms=2285.091239 resp_status=200 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:51Z" level=debug msg="No GET hook declared for target buildkite-artifacts" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
from s3-proxy.
Hello,
You are welcome. I always try to answer quickly. Bugs in prod aren't awesome :)
Sorry to see that cookie secure isn't solving your problem :( .
Thanks for the log. What I can see here is that you aren't connected, you are redirected to Google and came back and then accessing the ressource. From this log, everything seems to be ok.
Do you have a log with the error you described before ? A log with a success and just after an error will be great.
Another idea: Have you tried to run the app on your computer and to create an entry in the /etc/hosts
to add your "domain" in it to simulate the workflow. Maybe there is something wrong with the LoadBalancer and/or Ingress Controller.
Thanks in advance,
Oxyno-zeta
from s3-proxy.
A quick update - looking at the logs in Chrome dev tools it seems to be blocked because it's attempting to serve something over HTTP before being redirected:
Mixed Content: The site at 'https://accounts.google.com/' was loaded over a secure connection, but the file at 'https://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/<artifact_name>' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
from s3-proxy.
@mogggggg Oh I see...
The workflow is the following:
- You go to the application without any authentication cookie
- You are redirected to the login url keeping the source url you wanted to go
- Going to Google
- Coming back from Google
- Going to you source url with a redirect
The source url kept at step 2 is in http://
. Don't know why but it seems that in your setup with LoadBalancers etc doesn't put the needed headers to understand that there is an https://
connection before it... (See code here). It sounds very familiar with the issue you have linked before.
I think you should look into your setup and check if the header is propagated.
If I've forgotten another header that is commonly used, I will patch the code for sure.
from s3-proxy.
Arf... I just saw in the code that the application don't use the Forwarded
header to get the protocol. I will patch this when I will have time available. I hope your setup doesn't use only this header...
from s3-proxy.
@oxyno-zeta Yup, you're spot on with the workflow!
Okay, I'll do some digging on my end then. We're using standard AWS ALBs so X-Forwarded-For
and X-Forwarded-Proto
should definitely be there but I'll double-check to confirm.
from s3-proxy.
@mogggggg Did you solve your problem or find the bug ?
from s3-proxy.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days
from s3-proxy.
Related Issues (20)
- Using s3cmd HOT 4
- folder-list page leads to Internal server error HOT 4
- Allow application/octet-stream HOT 1
- Sub bucket HOT 1
- Let the docker image build itself HOT 3
- Add support for filesystem as a target HOT 1
- Proxy pre-compressed data as-is HOT 13
- Provide a way to disable folder listing HOT 9
- Support PASETO authentication HOT 4
- OIDC: no resource declared message when it is HOT 8
- Signed URL for PUT requests HOT 10
- Assume role failing via WebIdentity HOT 4
- Uploading large objects using multipart HOT 2
- [oidc] JWT auth failures respond with HTTP 500 instead of 401 HOT 2
- How to integrate with an SPA using a bearer token HOT 2
- Update project to resolve dependabot and renovate suggestions HOT 2
- Can't set a context-path for the server config HOT 1
- Handling method for storing audit log to somewhere HOT 4
- does this support Azure active directory for authentication and authorization ? HOT 9
- Potential memory leak HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-proxy.