Giter Site home page Giter Site logo

Comments (10)

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024 1

@mogggggg Tell me if you need something ;) . I can answer you but cannot fix the code now :)

I will patch the Forwarded thing in 1 week.

from s3-proxy.

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024

Hello,

Thanks for your issue and comment. I'm happy to see that this app is useful for other people :) .

I'm sorry I cannot see where is the problem. Your configuration looks good to me.

Can you paste me a full log from app start to the problem you encountered ? You can redact it if you want.
I will try to reproduce the Google authentication setup to check by myself but I won't have the time to do it before end of next week.

Note: You can omit the redirect url configuration if you want. This will be calculated by s3-proxy automatically if you don't set it.

Regards,

Oxyno-zeta

EDIT: If you are in https, maybe you should enable the cookie secure option in the provider options. See here . I cannot ensure that will work, just an idea. I will still need the log if this isn't solving your issue.

from s3-proxy.

mogopz avatar mogopz commented on May 28, 2024

Thanks for the super quick reply!
I just tried with cookieSecure: true and unfortunately I still have the same problem.

Here's the logs from an auth attempt (I've removed the entries for the healthchecks being hit):

time="2021-09-28T07:23:59Z" level=debug msg="Configuration successfully loaded and logger configured"
time="2021-09-28T07:23:59Z" level=info msg="Starting s3-proxy version: v4.1.0 (git commit: f2d7f61) built on 2021-07-18T21:34:47Z"
time="2021-09-28T07:23:59Z" level=info msg="Load S3 clients for all targets"
time="2021-09-28T07:23:59Z" level=info msg="Server listening on :8080"
time="2021-09-28T07:23:59Z" level=info msg="Internal server listening on :9090"
time="2021-09-28T07:24:43Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="authentication with oidc detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Try to get Authorization header from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Try get auth cookie from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="Can't load auth cookie" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=error msg="No auth header or cookie detected, redirect to oidc login" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000012 resp_bytes_length=151 resp_elapsed_ms=1.657353 resp_status=307 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000013 uri="http://<my_domain>/auth/google?rd=http%3A%2F%2F<my_domain>%2F0b7d2cc1-434c-492a-96fd-17ab0772afb1%2Ftest.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:43Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000013 resp_bytes_length=429 resp_elapsed_ms=0.183384 resp_status=302 uri="http://<my_domain>/auth/google?rd=http%3A%2F%2F<my_domain>%2F0b7d2cc1-434c-492a-96fd-17ab0772afb1%2Ftest.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:47Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="Successful authentication detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=warning msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000014 resp_bytes_length=125 resp_elapsed_ms=391.710717 resp_status=307 uri="http://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=<domain>&prompt=none" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="request started" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="authentication with oidc detected" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="Try to get Authorization header from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=debug msg="Try get auth cookie from request" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="OIDC User authenticated: <email>@<domain>" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:48Z" level=info msg="OIDC user <email>@<domain> authorized" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:51Z" level=info msg="request complete" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 resp_bytes_length=5 resp_elapsed_ms=2285.091239 resp_status=200 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
time="2021-09-28T07:24:51Z" level=debug msg="No GET hook declared for target buildkite-artifacts" client_ip=10.0.21.149 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.21.149 req_id=s3-proxy-6bdb5545fb-b9ndk/0oOSB5cHN0-000017 uri="http://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/test.tar" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"

from s3-proxy.

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024

Hello,

You are welcome. I always try to answer quickly. Bugs in prod aren't awesome :)

Sorry to see that cookie secure isn't solving your problem :( .

Thanks for the log. What I can see here is that you aren't connected, you are redirected to Google and came back and then accessing the ressource. From this log, everything seems to be ok.

Do you have a log with the error you described before ? A log with a success and just after an error will be great.

Another idea: Have you tried to run the app on your computer and to create an entry in the /etc/hosts to add your "domain" in it to simulate the workflow. Maybe there is something wrong with the LoadBalancer and/or Ingress Controller.

Thanks in advance,

Oxyno-zeta

from s3-proxy.

mogopz avatar mogopz commented on May 28, 2024

A quick update - looking at the logs in Chrome dev tools it seems to be blocked because it's attempting to serve something over HTTP before being redirected:
Mixed Content: The site at 'https://accounts.google.com/' was loaded over a secure connection, but the file at 'https://<my_domain>/0b7d2cc1-434c-492a-96fd-17ab0772afb1/<artifact_name>' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.

from s3-proxy.

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024

@mogggggg Oh I see...

The workflow is the following:

  1. You go to the application without any authentication cookie
  2. You are redirected to the login url keeping the source url you wanted to go
  3. Going to Google
  4. Coming back from Google
  5. Going to you source url with a redirect

The source url kept at step 2 is in http://. Don't know why but it seems that in your setup with LoadBalancers etc doesn't put the needed headers to understand that there is an https:// connection before it... (See code here). It sounds very familiar with the issue you have linked before.

I think you should look into your setup and check if the header is propagated.

If I've forgotten another header that is commonly used, I will patch the code for sure.

from s3-proxy.

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024

Arf... I just saw in the code that the application don't use the Forwarded header to get the protocol. I will patch this when I will have time available. I hope your setup doesn't use only this header...

from s3-proxy.

mogopz avatar mogopz commented on May 28, 2024

@oxyno-zeta Yup, you're spot on with the workflow!

Okay, I'll do some digging on my end then. We're using standard AWS ALBs so X-Forwarded-For and X-Forwarded-Proto should definitely be there but I'll double-check to confirm.

from s3-proxy.

oxyno-zeta avatar oxyno-zeta commented on May 28, 2024

@mogggggg Did you solve your problem or find the bug ?

from s3-proxy.

github-actions avatar github-actions commented on May 28, 2024

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days

from s3-proxy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.