Authelia - Public Room Timeline

	Authelia	102 Members
	The Official Authelia HQ - please come chat here, feel free to ask for support! \| https://github.com/authelia/authelia \| https://buildkite.com/authelia/authelia \| https://www.authelia.com \| https://opencollective.com/authelia-sponsors	24 Servers

Load older messages

Sender	Message	Time
13 Jul 2020
tapnl	* Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: 80:80 443:443 8181:8181 networks: t2_proxy env_file: .env environment: - TZ=$TZ volumes: - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json - ${USERDIR}/docker/traefik2/rules:/rules:ro - ${USERDIR}/docker/shared/transip.key:/transip.key:ro - ${USERDIR}/docker/shared:/shared - /var/run/docker.sock:/var/run/docker.sock labels: - traefik.enable=true - traefik.http.routers.api.rule=Host("traefik.example.com") - traefik.http.routers.api.entrypoints=https - traefik.http.routers.api.tls=true` docker-compose.yml -> authelia `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: t2_proxy env_file: .env environment: TZ:$TZ volumes: ./configuration.yml:/config/configuration.yml:ro ./users_database.yml:/config/users_database.yml:ro ./data:/etc/authelia/data:rw labels: traefik.enable=true traefik.http.routers.authelia.rule=Host("login.example.com") traefik.http.routers.authelia.entrypoints=https traefik.http.routers.authelia.tls=true` docker-compose.yml -> whoami - the subdomain to be protected `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: .env networks: t2_proxy ports: "81:80" environment: TZ=$TZ labels: traefik.enable=true traefik.http.routers.whoami.rule=Host(`whoami.example.com`) traefik.http.routers.whoami.entrypoints=https traefik.http.routers.whoami.tls=true traefik.http.routers.whoami.middlewares=authelia@file` middleware.yml `http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: "Remote-User" "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: GET OPTIONS PUT forceSTSHeader: true customFrameOptionsValue: "allow-from https:*.example.com" `contentTypeNosniff: true browserXssFilter: true` sslHost: "example.com" referrerPolicy: "same-origin`	11:01:15
tapnl	* Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: - 80:80 - 443:443 - 8181:8181 networks: - t2_proxy env_file: - .env` environment: TZ=$TZ volumes: ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json ${USERDIR}/docker/traefik2/rules:/rules:ro ${USERDIR}/docker/shared/transip.key:/transip.key:ro ${USERDIR}/docker/shared:/shared /var/run/docker.sock:/var/run/docker.sock labels: traefik.enable=true traefik.http.routers.api.rule=Host("traefik.example.com") traefik.http.routers.api.entrypoints=https traefik.http.routers.api.tls=true` docker-compose.yml -> authelia `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: t2_proxy env_file: .env environment: TZ:$TZ volumes: ./configuration.yml:/config/configuration.yml:ro ./users_database.yml:/config/users_database.yml:ro ./data:/etc/authelia/data:rw labels: traefik.enable=true traefik.http.routers.authelia.rule=Host("login.example.com") traefik.http.routers.authelia.entrypoints=https traefik.http.routers.authelia.tls=true` docker-compose.yml -> whoami - the subdomain to be protected `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: .env networks: t2_proxy ports: "81:80" environment: TZ=$TZ labels: traefik.enable=true traefik.http.routers.whoami.rule=Host(`whoami.example.com`) traefik.http.routers.whoami.entrypoints=https traefik.http.routers.whoami.tls=true traefik.http.routers.whoami.middlewares=authelia@file` middleware.yml `http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: "Remote-User" "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: GET OPTIONS PUT forceSTSHeader: true customFrameOptionsValue: "allow-from https:*.example.com" `contentTypeNosniff: true browserXssFilter: true` sslHost: "example.com" referrerPolicy: "same-origin`	11:01:44
tapnl	* Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: 80:80 443:443 8181:8181 networks: t2_proxy env_file: .env environment: TZ=$TZ volumes: ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json ${USERDIR}/docker/traefik2/rules:/rules:ro ${USERDIR}/docker/shared/transip.key:/transip.key:ro ${USERDIR}/docker/shared:/shared /var/run/docker.sock:/var/run/docker.sock labels: traefik.enable=true traefik.http.routers.api.rule=Host("traefik.example.com") traefik.http.routers.api.entrypoints=https traefik.http.routers.api.tls=true` docker-compose.yml -> authelia `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: t2_proxy env_file: .env environment: TZ:$TZ volumes: ./configuration.yml:/config/configuration.yml:ro ./users_database.yml:/config/users_database.yml:ro ./data:/etc/authelia/data:rw labels: traefik.enable=true traefik.http.routers.authelia.rule=Host("login.example.com") traefik.http.routers.authelia.entrypoints=https traefik.http.routers.authelia.tls=true` docker-compose.yml -> whoami - the subdomain to be protected `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: .env networks: t2_proxy ports: "81:80" environment: TZ=$TZ labels: traefik.enable=true traefik.http.routers.whoami.rule=Host(`whoami.example.com`) traefik.http.routers.whoami.entrypoints=https traefik.http.routers.whoami.tls=true traefik.http.routers.whoami.middlewares=authelia@file` middleware.yml `http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: "Remote-User" "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: GET OPTIONS PUT forceSTSHeader: true customFrameOptionsValue: "allow-from https:*.example.com" `contentTypeNosniff: true browserXssFilter: true` sslHost: "example.com" referrerPolicy: "same-origin`	11:02:16
tapnl	* Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: - 80:80 - 443:443 - 8181:8181 networks: - t2_proxy env_file: - .env environment: - TZ=$TZ volumes: - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json - ${USERDIR}/docker/traefik2/rules:/rules:ro - ${USERDIR}/docker/shared/transip.key:/transip.key:ro - ${USERDIR}/docker/shared:/shared - /var/run/docker.sock:/var/run/docker.sock labels: - traefik.enable=true - traefik.http.routers.api.rule=Host("traefik.example.com") - traefik.http.routers.api.entrypoints=https - traefik.http.routers.api.tls=true docker-compose.yml -> authelia `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: t2_proxy env_file: .env environment: TZ:$TZ volumes: ./configuration.yml:/config/configuration.yml:ro ./users_database.yml:/config/users_database.yml:ro ./data:/etc/authelia/data:rw labels: traefik.enable=true traefik.http.routers.authelia.rule=Host("login.example.com") traefik.http.routers.authelia.entrypoints=https traefik.http.routers.authelia.tls=true` docker-compose.yml -> whoami - the subdomain to be protected `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: .env networks: t2_proxy ports: "81:80" environment: TZ=$TZ labels: traefik.enable=true traefik.http.routers.whoami.rule=Host(`whoami.example.com`) traefik.http.routers.whoami.entrypoints=https traefik.http.routers.whoami.tls=true traefik.http.routers.whoami.middlewares=authelia@file` middleware.yml `http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: "Remote-User" "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: GET OPTIONS PUT forceSTSHeader: true customFrameOptionsValue: "allow-from https:*.example.com" `contentTypeNosniff: true browserXssFilter: true` sslHost: "example.com" referrerPolicy: "same-origin`	11:02:43
tapnl	* Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: - 80:80 - 443:443 - 8181:8181 networks: - t2_proxy env_file: - .env environment: - TZ=$TZ volumes: - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json - ${USERDIR}/docker/traefik2/rules:/rules:ro - ${USERDIR}/docker/shared/transip.key:/transip.key:ro - ${USERDIR}/docker/shared:/shared - /var/run/docker.sock:/var/run/docker.sock labels: - traefik.enable=true - traefik.http.routers.api.rule=Host("traefik.example.com") - traefik.http.routers.api.entrypoints=https - traefik.http.routers.api.tls=true docker-compose.yml -> authelia`version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: t2_proxy env_file: .env environment: TZ:$TZ volumes: ./configuration.yml:/config/configuration.yml:ro ./users_database.yml:/config/users_database.yml:ro ./data:/etc/authelia/data:rw labels: traefik.enable=true traefik.http.routers.authelia.rule=Host("login.example.com") traefik.http.routers.authelia.entrypoints=https traefik.http.routers.authelia.tls=true` docker-compose.yml -> whoami - the subdomain to be protected `version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: .env networks: t2_proxy ports: "81:80" environment: TZ=$TZ labels: traefik.enable=true traefik.http.routers.whoami.rule=Host(`whoami.example.com`) traefik.http.routers.whoami.entrypoints=https traefik.http.routers.whoami.tls=true traefik.http.routers.whoami.middlewares=authelia@file` middleware.yml `http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: "Remote-User" "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: GET OPTIONS PUT forceSTSHeader: true customFrameOptionsValue: "allow-from https:*.example.com" `contentTypeNosniff: true browserXssFilter: true` sslHost: "example.com" referrerPolicy: "same-origin`	11:03:09
tapnl	Hi Amir, I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find. See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container. docker-compose.yml -> traefik version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge services: traefik2: container_name: traefik2 image: traefik:chevrotin restart: always ports: - 80:80 - 443:443 - 8181:8181 networks: - t2_proxy env_file: - .env environment: - TZ=$TZ volumes: - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json - ${USERDIR}/docker/traefik2/rules:/rules:ro - ${USERDIR}/docker/shared/transip.key:/transip.key:ro - ${USERDIR}/docker/shared:/shared - /var/run/docker.sock:/var/run/docker.sock labels: - traefik.enable=true - traefik.http.routers.api.rule=Host("traefik.example.com") - traefik.http.routers.api.entrypoints=https - traefik.http.routers.api.tls=true docker-compose.yml -> authelia version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: authelia: image: authelia/authelia container_name: authelia hostname: authelia restart: unless-stopped networks: - t2_proxy env_file: - .env environment: - TZ:$TZ volumes: - ./configuration.yml:/config/configuration.yml:ro - ./users_database.yml:/config/users_database.yml:ro - ./data:/etc/authelia/data:rw labels: - traefik.enable=true - traefik.http.routers.authelia.rule=Host("login.example.com") - traefik.http.routers.authelia.entrypoints=https - traefik.http.routers.authelia.tls=true docker-compose.yml -> whoami - the subdomain to be protected version: "3.7" ########################### NETWORKS networks: t2_proxy: external: name: t2_proxy default: driver: bridge ########################### SERVICES services: whoami: image: containous/whoami container_name: whoami hostname: whoami restart: always env_file: - .env networks: - t2_proxy ports: - "81:80" environment: - TZ=$TZ labels: - traefik.enable=true - traefik.http.routers.whoami.rule=Host(`whoami.example.com`) - traefik.http.routers.whoami.entrypoints=https - traefik.http.routers.whoami.tls=true - traefik.http.routers.whoami.middlewares=authelia@file middleware.yml http: middlewares: redirect: redirectScheme: scheme: https basic_auth: basicAuth: realm: "Traefik2 Basic Auth" usersFile: "/shared/.htpasswd" authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://login.example.com/" trustForwardHeader: true authResponseHeaders: - "Remote-User" - "Remote-Groups" hsts: headers: sslRedirect: true stsPreload: true stsSeconds: 315360000 stsIncludeSubdomains: true accessControlMaxAge: 100 sslRedirect: true accessControlAllowMethods: - GET - OPTIONS - PUT forceSTSHeader: true # customFrameOptionsValue: "allow-from https:*.example.com" contentTypeNosniff: true browserXssFilter: true # sslHost: "example.com" referrerPolicy: "same-origin"	11:04:34
Amir	So when you goto `whoami.example.com` it does redirect you to the portal to authenticate?	11:06:51
Amir	Or better yet if you could just detail your actual workflow, what happens and provide me the authelia logs for that workflow too.	11:07:53
Amir	Also just to be clear, I see your `middleware.yml` but no references in the compose, so I assume that's referenced in your `traefik.yml`?	11:09:17
tapnl	In reply to @nightah:nerv.com.au Also just to be clear, I see your `middleware.yml` but no references in the compose, so I assume that's referenced in your `traefik.yml`? Hi Amir, When I directly go to whoami.example.com it does not show me the login page. See below for details. Middleware is not defined in traefik.yml but it does load. Because the basic_auth also defined there works well. Also I don't see any errors that the actual middleware is not being found. See below my workflow in steps, with the different logs per step Step 1 - go to whoami.example.com In browser: address field: `https://login.example.com/?rd=https%3A%2F%2Fwhoami.example.com%2F` In screen: 404 page not found Traefik log: `today at 14:35 time="2020-07-13T14:35:34+02:00" level=debug msg="Remote error http://authelia:9091/api/verify?rd=https://login.example.com/. StatusCode: 302" middlewareName=authelia@file middlewareType=ForwardedAuthType` Authelia log `today at 14:35 time="2020-07-13T14:35:34+02:00" level=info msg="Access to https://whoami.example.com/ is not authorized to user , redirecting to https://login.example.com/?rd=https%3A%2F%2Fwhoami.example.com%2F" method=GET path=/api/verify remote_ip=192.168.1.1` Step 2 - going to login.example.com When going in the same session to login.example.com - nothings happens in the browser. 404 report is there. Logs for both Authelia and Traefik show no entries Appreciated that you are looking into this. Cheers, Tap.	12:44:15
tapnl	Additional workflow Step 1: go to login.example.com Login screen is being displayed Step 2: enter credentials Authelia log: `today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="Credentials validation of user admin is ok" method=POST path=/api/firstfactor remote_ip=192.168.1.1 today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="Mark authentication attempt made by user admin" method=POST path=/api/firstfactor remote_ip=192.168.1.1` Traefik log: today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, /\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}" today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://172.18.0.3:9091" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, /\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}" today at 14:48 time="2020-07-13T14:48:06+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, /\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}" Browser: In screen: `404 page not found` In addreess field: `login.example.com` And no ssl connection Step 3: go to whoami.example.com Brower: Loads normal - no credentials needed Authelia log: No entries Traefik log: today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}" today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://172.18.0.5:80" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}" today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}" today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,/\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,/\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" ForwardURL="http://172.18.0.5:80" today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,/\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" Step 4: Going back to login.example.com Browser: address field: `https://login.example.com/` With ssl connection Authelia log: No entries Traefik log: No entries	12:57:14
Amir	tapnl: Step 4 in your additional workflow, do you still get a 404?	13:09:08
tapnl	In reply to @nightah:nerv.com.au tapnl: Step 4 in your additional workflow, do you still get a 404? When I am trying to replicate the second workflow - I am not able to visit whoami.example.com. I get a 404 on whoami.example.com with ssl connection. Then going back to login.example.com shows that I am authenticated.	13:59:19
Amir	right, can I see your `configuration.yml` too?	14:00:36
Amir	and do you see anything in the browser console when you try and visit `whoami.example.com`?	14:02:36
Amir	by all accounts everything looks setup properly and your logs seem to indicate as much as well	14:05:11
tapnl	In reply to @nightah:nerv.com.au and do you see anything in the browser console when you try and visit `whoami.example.com`? ############################################################### # Authelia configuration # ############################################################### # The host and port to listen on host: 0.0.0.0 port: 9091 # Configuration options specific to the internal http server server: # Buffers usually should be configured to be the same value. # Explanation at https://docs.authelia.com/configuration/server.html # Read buffer size configures the http server's maximum incoming request size in bytes. read_buffer_size: 4096 # Write buffer size configures the http server's maximum outgoing response size in bytes. write_buffer_size: 4096 # Set the single level path Authelia listens on, must be alphanumeric chars and should not contain any slashes. path: "" # Level of verbosity for logs: info, debug, trace log_level: debug ## File path where the logs will be written. If not set logs are written to stdout. # log_file_path: /config/authelia.log # The secret used to generate JWT tokens when validating user identity by # email confirmation. # JWT Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html jwt_secret: <SECRECT> # Default redirection URL # # If user tries to authenticate without any referer, Authelia # does not know where to redirect the user to at the end of the # authentication process. # This parameter allows you to specify the default redirection # URL Authelia will use in such a case. # # Note: this parameter is optional. If not provided, user won't # be redirected upon successful authentication. default_redirection_url: http://login.example.com # TOTP Settings # # Parameters used for TOTP generation totp: # The issuer name displayed in the Authenticator application of your choice # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names issuer: authelia.com # The period in seconds a one-time password is current for. Changing this will require all users to register # their TOTP applications again. # Warning: before changing period read the docs link below. period: 30 # The skew controls number of one-time passwords either side of the current one that are valid. # Warning: before changing skew read the docs link below. skew: 1 # See: https://docs.authelia.com/configuration/one-time-password.html#period-and-skew to read the documentation. # Duo Push API # # Parameters used to contact the Duo API. Those are generated when you protect an application # of type "Partner Auth API" in the management panel. duo_api: hostname: <SECRET> integration_key: <SECRET> secret_key: <SECRET> # The authentication backend to use for verifying user passwords # and retrieve information such as email address and groups # users belong to. # # There are two supported backends: 'ldap' and 'file'. authentication_backend: # Disable both the HTML element and the API for reset password functionality disable_reset_password: false # The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. # To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users # will always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. # To force update on every request you can set this to '0' or 'always', this will increase processor demand. # See the below documentation for more information. # Duration Notation docs: https://docs.authelia.com/configuration/index.html#duration-notation-format # Refresh Interval docs: https://docs.authelia.com/configuration/authentication/ldap.html#refresh-interval refresh_interval: 5m # File backend configuration. # # With this backend, the users database is stored in a file # which is updated when users reset their passwords. # Therefore, this backend is meant to be used in a dev environment # and not in production since it prevents Authelia to be scaled to # more than one instance. The options under 'password' have sane # defaults, and as it has security implications it is highly recommended # you leave the default values. Before considering changing these settings # please read the docs page below: # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning # file: path: /config/users_database.yml password: algorithm: argon2id iterations: 1 salt_length: 16 parallelism: 8 memory: 1024 # Access Control # # Access control is a list of rules defining the authorizations applied for one # resource to users or group of users. # # If 'access_control' is not defined, ACL rules are disabled and the 'bypass' # rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow # the rules defined. # # Note: One can use the wildcard * to match any subdomain. # It must stand at the beginning of the pattern. (example: *.mydomain.com) # # Note: You must put patterns containing wildcards between simple quotes for the YAML # to be syntactically correct. # # Definition: A 'rule' is an object with the following keys: 'domain', 'subject', # 'policy' and 'resources'. # # - 'domain' defines which domain or set of domains the rule applies to. # # - 'subject' defines the subject to apply authorizations to. This parameter is # optional and matching any user if not provided. If provided, the parameter # represents either a user or a group. It should be of the form 'user:<username>' # or 'group:<groupname>'. # # - 'policy' is the policy to apply to resources. It must be either 'bypass', # 'one_factor', 'two_factor' or 'deny'. # # - 'resources' is a list of regular expressions that matches a set of resources to # apply the policy to. This parameter is optional and matches any resource if not # provided. # # Note: the order of the rules is important. The first policy matching # (domain, resource, subject) applies. access_control: # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. # It is the policy applied to any resource if there is no policy to be applied # to the user. default_policy: deny rules: - domain: "whoami.example.com" policy: one_factor # Configuration of session cookies # # The session cookies identify the user once logged in. session: # The name of the session cookie. (default: authelia_session). name: authelia_session # The secret to encrypt the session data. This is only used with Redis. # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html secret: <SECRET> # The time in seconds before the cookie expires and session is reset. expiration: 1h # The inactivity time in seconds before the session is reset. inactivity: 5m # The remember me duration. # Value of 0 disables remember me. # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy # or attack. Currently the default is 1M or 1 month. remember_me_duration: 1M # The domain to protect. # Note: the authenticator must also be in that domain. If empty, the cookie # is restricted to the subdomain of the issuer. domain: example.com # Configuration of the authentication regulation mechanism. # # This mechanism prevents attackers from brute forcing the first factor. # It bans the user if too many attempts are done in a short period of # time. regulation: max_retries: 3 find_time: 2m ban_time: 5m # Configuration of the storage backend used to store data and secrets. # # You must use only an available configuration: local, mysql, postgres storage: local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/data/notification.txt No doing it the second time did not show anyting in whoami	14:05:20
Amir	does `https://whoami.example.com/health` also give you a 404?	14:07:05
Amir	or `https://whoami.example.com/api`	14:07:59
Amir	anyway it's past midnight I'll have a look at your response when I get back up, but the 404 suggests there's either an issue with the cookie/redirect or the whoami container/traefik	14:17:42
Amir	the former you would see logs for though	14:17:56
Amir	so it's more likely to be the latter	14:18:00
tapnl	Both give a 404. For me it feels that the redirect is not going correctly. I expect the issue in Traefik - but not sure where to look.	20:41:36
14 Jul 2020
Amir	tapnl: looks like some of the guys figured it out on one the issues	04:58:53
Amir	https://github.com/containous/traefik/issues/7020 and https://github.com/authelia/authelia/issues/1195#issuecomment-657949217 for reference	04:59:42
Amir	related specifically to the following change in Traefik: https://github.com/containous/traefik/pull/7008	05:00:59
Amir	https://github.com/containous/traefik/issues/7020#issuecomment-656753476 explains the actual issue in further detail too	05:04:45
tapnl	In reply to @nightah:nerv.com.au https://github.com/containous/traefik/issues/7020 and https://github.com/authelia/authelia/issues/1195#issuecomment-657949217 for reference Hi Amir, I can confirm that this is the issue! Thx very much for pointing out - I noticed that my docker had updated before this behaviour started - but was not able to find something on github - so I circled back to my configs - because during the automated updated, I was playing with my config quite a lot. Thanks again for looing into this and pointing out the solution! Cheers, M.	06:46:20
	natalie	06:48:14
Amir	No problems, glad it's sorted now.	07:50:33