Running behind reverse proxy gives wrong redirect URL

Question

Running behind reverse proxy gives wrong redirect URL

maaroen opened this issue 10 months ago · comments

I'm trying to run Fenrus on my kubernetes cluster, with using OIDC authentication from Keycloak. But the redirect url that is being configured is http, instead of https which gives me certificate issues.

I'm running it behind a reverse proxy which does SSL termination for me.

Could you tell me if there is a way to configure this setup, or what I'm doing wrong?

With kind regards,

Maaroen

Jeroen Nederlof · Answer 1 · Fri Oct 20 2023 18:51:19 GMT+0800 (China Standard Time)

The above image illustrates the issue, the Base URL I was able to manually edit from http to https, but the Redirect URL cannot be manually changed.

I think both Base URL and Redirect URL should have been using https, since I'm accessing Fenrus over a HTTPS url.

John Andrews · Answer 2 · Sat Oct 21 2023 04:12:13 GMT+0800 (China Standard Time)

that redirect URL is computed from the request the server is getting. its just a hint really.
You dont have to use this, it just helps you set what the auth service requries. Just change it to https when configuring your auth server.

pathwayx99 · Answer 3 · Thu Nov 02 2023 00:24:48 GMT+0800 (China Standard Time)

Mmm. Not quite. Something weird is going on. I have the same issue, same setup as OP.

If I change the redirect URI to https://fenrus.domain.com/signin-oidc, I get:

While if I keep the http://fenrus.domain.com/signin-oidc the authentication works, but authentik warns me the credentials are going over cleartext:

Any ideas?

Jeroen Nederlof · Answer 4 · Thu Nov 02 2023 01:34:42 GMT+0800 (China Standard Time)

Yes this is exactly what I'm running into aswell.

rswafford1980 · Answer 5 · Fri Nov 10 2023 22:45:07 GMT+0800 (China Standard Time)

agree. I tried to point this out several months ago and my issue was closed.

John Andrews · Answer 6 · Sat Nov 11 2023 04:55:08 GMT+0800 (China Standard Time)

like I said its computed. Its what the request comes through as, so if you setup your reverse proxy to go to the HTTP protocol, then it will see the request coming from HTTP and give that.

Theres 2 ports you can configure

3000 == http
4000 == https

my portainer for fenrus

my nginx proxy manager to fenrus

rswafford1980 · Answer 7 · Sat Nov 11 2023 10:49:22 GMT+0800 (China Standard Time)

that does not work either. I mapped port 3001 to 4000, went to https://docker-ip:3001, and the page cannot be loaded. if I go to http://docker-ip:3000 it loads up with the initial config.

Jeroen Nederlof · Answer 8 · Sun Nov 12 2023 03:58:16 GMT+0800 (China Standard Time)

I just created a PR for @revenz to review in which I have solved this issue:
#211

For those who would like to test it already before revenz checks the PR, feel free to pull this image:
git.nederlof.dev/maaroen/fenrus:latest

Please let me know if someone tests if if they run into any issues, I'm personally able to use Fenrus now with Keycloak as oauth authentication, behind a HAproxy doing SSL offloading, and a nginx reverse proxy, being my kubernetes ingress controller.

John Andrews · Answer 9 · Sun Nov 12 2023 06:49:19 GMT+0800 (China Standard Time)

Another optoin is to set the enviromental variables

Name	Value
PORT	4000
PROTOCOL	https

I'm using it behind a reverse proxy, going through cloudflare, to nginx proxy manager, to fenrus, using googles oauth. without any additional changes. so there must be a simplier way, something that im just missing in the docs.

Jeroen Nederlof · Answer 10 · Sun Nov 12 2023 19:21:12 GMT+0800 (China Standard Time)

Hello @revenz,

But aren't you hosting your app in https mode then? because I see you also install the dotnet dev cert in the final container.

I would like to run the app in http mode, since complete Ssl termination is done in my loadbalancer, all traffic afterwards, continues on port 80, so the app doesn't have to run in https mode, it just needs to use the correct X-Forward-X headers to correctly generate urls like for Auth.