TLDR; The issue is that LAM cannot successfully authenticate to mailcow (Dovecot) with the DOVECOT_MASTER_USER and DOVECOT_MASTER_PASSWORD setup, the connection is aborted and hence no mailbox was provisioned.
So, I am trying to connect a directory service with mailcow, in order to provision and manage mailboxes for users and groups from LDAP Account Manager (LAM).
The directory service is comprised of bitnamit/OpenLDAP image with LDAP Account Manager (LAM) as Directory Management frontend run as a docker-compose stack behind Traefik as Reverse Proxy just as mailcow.
version: '3.5'
volumes:
lam-app:
lam-data:
openldap-data:
networks:
openldap-net:
driver: bridge
web:
external: true
services:
ldap-account-manager:
image: ldapaccountmanager/lam:latest
restart: unless-stopped
volumes:
- lam-data:/var/lib/ldap-account-manager/
- lam-app:/etc/ldap-account-manager
environment:
# - LAM_PASSWORD=${LAM_PASSWORD}
# - LAM_LANG=${LAM_LANG}
# - LDAP_SERVER=${LDAP_SERVER}
# - LDAP_DOMAIN=${LDAP_DOMAIN}
# - LDAP_BASE_DN=${LDAP_BASE_DN}
# - ADMIN_USER=cn=${LDAP_ADMIN_NAME},${LDAP_BASE_DN}
- LAM_PASSWORD=${LAM_PASSWORD}
- LAM_LANG=${LAM_LANG}
- LDAP_SERVER=${LDAP_SERVER}
- LDAP_DOMAIN=${LDAP_DOMAIN}
- LDAP_BASE_DN=${LDAP_BASE_DN}
- ADMIN_USER=cn=admin,${LDAP_BASE_DN}
# - DEBUG=true
hostname: directory
domainname: "${LDAP_DOMAIN}"
networks:
- openldap-net
- web
labels:
- traefik.enable=true
- traefik.docker.network=web
- traefik.http.routers.openldap-lam.rule=Host(`directory.${LDAP_DOMAIN}`)
- traefik.http.routers.openldap-lam.entrypoints=websecure
- traefik.http.routers.openldap-lam.tls=true
- traefik.http.routers.openldap-lam.tls.certresolver=myresolver
- traefik.http.routers.openldap-lam.service=openldap-lam-svc
- traefik.http.services.openldap-lam-svc.loadbalancer.server.port=80
- traefik.http.routers.openldap-lam.middlewares=ldap-auth
- traefik.http.middlewares.ldap-auth.basicauth.users=adam:$$2y$$05$$aio7rx3j9w87ky2uw9r
certdumper:
image: humenius/traefik-certs-dumper
container_name: ldap_certdumper
network_mode: none
# env_file:
# - ldap.env
volumes:
# mount the folder which contains Traefik's `acme.json' file
- ../../proxy/letsencrypt/:/traefik:ro
- ./ldap/certs/:/output:rw
environment:
- DOMAIN=ldap.${LDAP_DOMAIN}
# Bitnami OpenLDAP container (actively maintained)
ldap:
image: bitnami/openldap:latest
ports:
- '389:1389' # Expose port 389
# - '1636:1636'
networks:
- openldap-net
- web
volumes:
- openldap-data:/bitnami/openldap
- ./ldap/schemas:/schemas # Additional LDIF schemas
labels:
- traefik.enable=true
- traefik.docker.network=web
- traefik.http.routers.ldap.rule=Host(`ldap.${LDAP_DOMAIN}`)
- traefik.http.routers.ldap.tls=true
- traefik.http.routers.ldap.tls.certresolver=myresolver
- traefik.http.routers.ldap.entrypoints=ldap
- traefik.http.routers.ldap.service=ldap-svc
- traefik.http.services.ldap-svc.loadbalancer.server.port=1389
environment:
- LDAP_ADMIN_USERNAME=${LDAP_ADMIN_NAME}
- LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
- LDAP_ROOT=${LDAP_BASE_DN}
- LDAP_SKIP_DEFAULT_TREE=${LDAP_SKIP_DEFAULT_TREE}
- LDAP_GROUP=${LDAP_GROUP}
- LDAP_USER_DC=${LDAP_USER_DC}
- LDAP_CONFIG_ADMIN_ENABLED=${LDAP_CONFIG_ADMIN_ENABLED}
- LDAP_CONFIG_ADMIN_USERNAME=${LDAP_CONFIG_ADMIN_NAME}
- LDAP_CONFIG_ADMIN_PASSWORD=${LDAP_CONFIG_ADMIN_PASSWORD}
- LDAP_LOGLEVEL=${LDAP_LOGLEVEL}
- LDAP_PORT_NUMBER=${LDAP_PORT}
- LDAP_USERS=${LDAP_USERS}
- LDAP_PASSWORDS=${LDAP_PASSWORDS}
As LAM documentation states there are no additional schemas needed on the LDAP side, in order to setup and use IMAP mailboxes. But as can be seen I mount several LDIF schemas to extend the basic LDAP functionality. Namely:
asterisk.ldif: Software-PBX
dhcp.schema: DHCP from LDAP
freeradius.ldif: RADIUS from LDAP
ldapns.ldif: Hosts and Allowed Services Management
misc.ldif: E-Mail aliases among other things.
pyroka: printer access and management
IMAP settings in LAM are set as follows:
On the mailcow side, I adjusted mailcow.conf and set DOVECOT_MASTER_USER and DOVECOT_MASTER_PASSWORD. On restart I can find the new user and password created in /etc/dovecot/dovecot-master.userdb and /etc/dovecot/dovecot-master.passdb.
So far so good; LAM connect to Dovecot service of the respective mailcow instance and tries to authenticate with the username / password setup for the DOVECOT_MASTER_USER. But authentication fails with the following logs:
mailcowdockerized-dovecot-mailcow-1 | Feb 4 23:53:53 374f0ac661be dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 2 secs): user=<dovecot-master#mailcow.local>, method=PLAIN, rip=fd4d:6169:6c63:6f77::1, lip=fd4d:6169:6c63:6f77::f, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Could it be due to TLS and certificates? OpenLDAP has TLS turned off internally. TLS termination is done with Traefik, which obtains and manages certificates via Letencrypt. Could this setup not meet Mailcow’s encryption requirements for successful authentication?
Would be grateful for hints and help 🙂
Luke
Related
I have my docker-compose.override.yml set up below in Visual Studio 2022
elasticsearch:
container_name: elasticsearch
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- discovery.type=single-node
restart: always
ports:
- "9200:9200"
- "9300:9300"
networks:
elastic:
kibana:
container_name: kibana
restart: always
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
depends_on:
- elasticsearch
ports:
- "5601:5601"
networks:
elastic:
networks:
elastic:
driver: bridge
Every time I try to configure kibana, after supplying a token, I get the following error from the kibana container w/out kibana getting fully configured.
2023-02-06 21:40:38 [2023-02-07T04:40:38.210+00:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
2023-02-06 21:40:38 [2023-02-07T04:40:38.366+00:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
2023-02-06 21:40:38 [2023-02-07T04:40:38.508+00:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_posture-stats_task]
2023-02-06 21:40:39 [2023-02-07T04:40:39.605+00:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Linux Ubuntu 20.04 OS. Automatically enabling Chromium sandbox.
2023-02-06 21:40:39 [2023-02-07T04:40:39.741+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 192.168.128.3:60856, Remote: 192.168.128.2:9200
2023-02-06 21:40:40 [2023-02-07T04:40:40.773+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell
2023-02-06 21:40:42 [2023-02-07T04:40:42.194+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 192.168.128.3:44378, Remote: 192.168.128.2:9200
I am a bit at a loss as to why I can't get it configured. Any help appreciated.
I have a dev Environment in docker and I'm using Nifi 1.13.2 and it's working fine (http).
I did an upgrade of Nifi to use version 1.15.3 that starts up with HTTPS only and it isn't working anymore.
docker-compose :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
ports:
- 10000:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
Logs from nifi-app.log :
nifi-app_2022-03-16_14.0.log:36362:2022-03-16 14:36:43,370 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for 2dec0477131a:8443}]
nifi-app_2022-03-16_14.0.log:139435:2022-03-16 14:37:07,253 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector#36b53f08{SSL, (ssl, http/1.1)}{2dec0477131a:8443}
nifi-app_2022-03-16_14.0.log:139933:2022-03-16 14:37:07,292 INFO [main] org.apache.nifi.web.server.JettyServer https://2dec0477131a:8443/nifi
Error in logs when I go to https://localhost:10000/nifi :
2022-03-16 14:39:15,572 WARN [NiFi Web Server-16] o.a.nifi.web.server.HostHeaderHandler Request host header [localhost:10000] different from web hostname [2dec0477131a(:8443)]. Overriding to [2dec0477131a:8443/nifi]
2022-03-16 14:39:15,655 WARN [NiFi Web Server-20] o.a.nifi.web.server.HostHeaderHandler Request host header [localhost:10000] different from web hostname [2dec0477131a(:8443)]. Overriding to [2dec0477131a:8443/favicon.ico]
[![enter image description here][1]][1]
I see that on docker desktop when I do open in browser it opens http://localhost:10000/nifi , how can I change this url ?
Update1 :
I found this article : https://www.javahelps.com/2022/01/run-apache-nifi-in-docker-with-ssl.html so my docker-compose looks like this :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
- SINGLE_USER_CREDENTIALS_USERNAME=jhiihihhu
- SINGLE_USER_CREDENTIALS_PASSWORD=e9o6dQhlEDusiq6oKUpzp8ZtW/Bjim6q2U0SxyBO6JA
- NIFI_SENSITIVE_PROPS_KEY=rHkWR1gDNW3R
- NIFI_WEB_PROXY_HOST=0.0.0.0:8443
- NIFI_WEB_HTTPS_HOST=0.0.0.0
- NIFI_CLUSTER_ADDRESS=0.0.0.0
- NIFI_REMOTE_INPUT_HOST=0.0.0.0
- AUTH=tls
- KEYSTORE_PATH=/opt/certs/keystore.jks
- KEYSTORE_TYPE=JKS
- KEYSTORE_PASSWORD=cjwC2UU/ZBxhlNyjFbK1QCE/bqNxq9WONwCPq8HbyRk
- TRUSTSTORE_PATH=/opt/certs/truststore.jks
- TRUSTSTORE_TYPE=JKS
- TRUSTSTORE_PASSWORD=1ab4TYRgYw7HMY4Dr+7s+7gVDrPBbZPGp4g/t5VhJG4
- NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
- NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
ports:
- 10000:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
- ./keystore.jks:/opt/certs/keystore.jks
- ./truststore.jks:/opt/certs/truststore.jks
I still have the same error .
[1]: https://i.stack.imgur.com/OGqE6.png
Update 2:
It worked with the following docker compose :
services:
nifi:
image: apache/nifi:1.15.3
container_name: nifi
environment:
- JAVA_TOOL_OPTIONS=-Dfile.encoding=utf8
- NIFI_WEB_HTTPS_PORT=8443
- SINGLE_USER_CREDENTIALS_USERNAME=khiuiuiuh
- SINGLE_USER_CREDENTIALS_PASSWORD=e9o6dQhlEDusiq6oKUpzp8ZtW/Bjim6q2U0SxyBO6JA
- NIFI_SENSITIVE_PROPS_KEY=rHkWR1gDNW3R
- NIFI_WEB_PROXY_HOST='localhost:8443,localhost:10000'
- NIFI_WEB_HTTPS_HOST=0.0.0.0
- NIFI_CLUSTER_ADDRESS=0.0.0.0
- NIFI_REMOTE_INPUT_HOST=0.0.0.0
- AUTH=tls
- KEYSTORE_PATH=/opt/certs/keystore.jks
- KEYSTORE_TYPE=JKS
- KEYSTORE_PASSWORD=cjwC2UU/ZBxhlNyjFbK1QCE/bqNxq9WONwCPq8HbyRk
- TRUSTSTORE_PATH=/opt/certs/truststore.jks
- TRUSTSTORE_TYPE=JKS
- TRUSTSTORE_PASSWORD=1ab4TYRgYw7HMY4Dr+7s+7gVDrPBbZPGp4g/t5VhJG4
- NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
- NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
ports:
- 8443:8443
- "9001-9100:9001-9100"
volumes:
- ./data/nifi/content:/opt/nifi/nifi-current/content_repository:rw
- ./data/nifi/database:/opt/nifi/nifi-current/database_repository:rw
- ./data/nifi/flowfile:/opt/nifi/nifi-current/flowfile_repository:rw
- ./data/nifi/provenance:/opt/nifi/nifi-current/provenance_repository:rw
- ./data/nifi/state:/opt/nifi/nifi-current/state:rw
- ./data/db/driver:/opt/driver
- ./keystore.jks:/opt/certs/keystore.jks
- ./truststore.jks:/opt/certs/truststore.
Update 30/03/2022:
I've been using the new version for few days now and each time I start Nifi, I have the error message : The supplied username and password are not valid.
I have to run docker-compose and start all over.
Also I want to enable anonymous authentication and it's not working even if I set NIFI_SECURITY_ALLOW_ANONYMOUS_AUTHENTICATION to true .
Try adding NIFI_WEB_PROXY_HOST=localhost:8443 in the environment section in docker-compose. Also, you have to check if you can use port 10000 for Nifi.
I try to proxy a dockware container through traefik.
The error is an internal server error (500).
Is it necessary to change the domainname at all? If so, how can I change the domain name?
Docker compose for shopware
version: "3"
services:
shopwaretest:
image: dockware/play:latest
container_name: shopwaretest
restart: always
volumes:
- "db_shopwaretest:/var/lib/mysql"
- "shopwaretest:/var/www/html"
- ./hosts:/etc/hosts
networks:
- proxy
environment:
- XDEBUG_ENABLED=0
- PHP_VERSION=8.0
labels:
- "traefik.enable=true"
- "traefik.http.routers.shopwaretest-http.rule=Host(`example.com`)"
- "traefik.http.routers.shopwaretest-http.entrypoints=http"
- "traefik.http.routers.shopwaretest-http.service=shopwaretest-http-service"
- "traefik.http.services.shopwaretest-http-service.loadbalancer.server.port=80"
- "traefik.http.routers.shopwaretest-https.rule=Host(`example.com`)"
- "traefik.http.routers.shopwaretest-https.entrypoints=https"
- "traefik.http.routers.shopwaretest-https.service=shopwaretest-https-service"
- "traefik.http.services.shopwaretest-https-service.loadbalancer.server.port=80"
- "traefik.http.routers.shopwaretest-https.tls=true"
- "traefik.http.routers.shopwaretest-http.middlewares=redirect#file"
- "traefik.http.routers.shopwaretest-https.tls.certresolver=http"
volumes:
db_shopwaretest:
driver: local
shopwaretest:
driver: local
networks:
proxy:
external: true
If you get an internal server error, please check the server logs.
You can manually change the domain name in the sales_channel_domain table.
The problem might be, that SSL is terminated on traefik and Shopware does not detect this - if this is the problem, you might need to set the TRUESTED_PROXIES variable to the IP of your traefik server/container.
Since upgrading to Portainer v2, the icons would suddenly not load anymore. I can still access Portainer (which is proxied by Traefik), but after a bit of testing, I noticed, only / would be forwarded. If a path was given, Traefik would throw a 404 error. This is a problem because Portainer loads the fonts from eg. /b15db15f746f29ffa02638cb455b8ec0.woff2.
There is one issue about this on Github, but I don't really know what to do with that information: https://github.com/portainer/portainer/issues/3706
My Traefik configuration
version: "2"
# Manage domain access to services
services:
traefik:
container_name: traefik
image: traefik
command:
- --api.dashboard=true
- --certificatesresolvers.le.acme.email=${ACME_EMAIL}
- --certificatesresolvers.le.acme.storage=acme.json
# Enable/Disable staging by commenting/uncommenting the next line
# - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --global.sendAnonymousUsage
- --log.level=INFO
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=traefik_proxy
restart: always
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
dns:
- 1.1.1.1
- 1.0.0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
# - ./acme-staging.json:/acme.json
environment:
CF_API_EMAIL: ${CLOUDFLARE_EMAIL}
CF_API_KEY: ${CLOUDFLARE_API_KEY}
labels:
- traefik.enable=true
- traefik.http.routers.traefik0.entrypoints=http
- traefik.http.routers.traefik0.rule=Host(`${TRAEFIK_URL}`)
- traefik.http.routers.traefik0.middlewares=to_https
- traefik.http.routers.traefik.entrypoints=https
- traefik.http.routers.traefik.rule=Host(`${TRAEFIK_URL}`)
- traefik.http.routers.traefik.middlewares=traefik_auth
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=le
- traefik.http.routers.traefik.service=api#internal
# Declaring the user list
#
# Note: all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
- traefik.http.middlewares.traefik_auth.basicauth.users=${TRAEFIK_USERS}
# Standard middleware for other containers to use
- traefik.http.middlewares.to_https.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.scheme=https
- traefik.http.middlewares.to_https_perm.redirectscheme.permanent=true
networks:
traefik_proxy:
external: true
And my Portainer configuration
version: "2"
# Manage docker containers
services:
portainer:
container_name: portainer
image: portainer/portainer-ce
restart: always
networks:
- traefik_proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/:/data/
labels:
- traefik.enable=true
- traefik.http.services.portainer.loadbalancer.server.port=9000
- traefik.http.routers.portainer0.entrypoints=http
- traefik.http.routers.portainer0.rule=Host(`${PORTAINER_URL}`)
- traefik.http.routers.portainer0.middlewares=to_https
- traefik.http.routers.portainer.entrypoints=https
- traefik.http.routers.portainer.rule=Host(`${PORTAINER_URL}`)
- traefik.http.routers.portainer.tls=true
- traefik.http.routers.portainer.tls.certresolver=le
networks:
traefik_proxy:
external: true
What do I have to change to make Traefik be able to forward the paths so that Portainer can load the icons?
Could you try flush your DNS Cache?
In Chrome 'chrome://net-internals/#dns' into URL bar and pressed enter.
Then click on 'Clear host cache'
Then refresh your portainer page
I noticed that there is also an Alpine version of Portainer.
After switching to that (image: portainer/portainer-ce:alpine), the icons seem to be working again. I don't know what the issue is with the regular image, but this solves it for now.
PS: I had tried to use the Access-Control header on Traefik, but that didn't help. I guess it's a problem with Portainer's code itself.
If someone else is facing this issue, I resolved this by deleting my Browser Cache or just do a full Refresh with CTRL+Shift+R
I am trying to get Traefik setup in a Docker and am having a heck of a time. Following this guide and using Cloudflare (DNS only to trafeik.mydomain.com), to connect, I am getting "This site can't be reached oauth.mydomain.com's server IP address could not be found".
wget https://traefik.mydomain.com/dashboard
--2020-09-26 19:19:38-- https://traefik.mydomain.com/dashboard
Resolving traefik.mydomain.com (traefik.mydomain.com)... <ip address>
Connecting to traefik.mydomain.com (traefik.mydomain.com)|<ip address>|:443... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://accounts.google.com/o/oauth2/auth?client_id=6597174190-33npvgec044jtcrj4scmfgt561.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=fc4c85a1e11f4914247d1e7c95b031%3Agoogle%3Ahttps%3A%2F%2Ftraefik.mydomain.com%2Fdashboard [following]
--2020-09-26 19:19:38-- https://accounts.google.com/o/oauth2/auth?client_id=6597114190-33npkhvge44jtcrj4scmuafgt561.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=fc4c85a1e11f4914247d1e7c94a5b031%3Agoogle%3Ahttps%3A%2F%2Ftraefik.mydomain.com%2Fdashboard
Resolving accounts.google.com (accounts.google.com)... 172.217.1.205, 2607:f8b0:400f:805::200d
Connecting to accounts.google.com (accounts.google.com)|172.217.1.205|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/AccountChooser?oauth=1&continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSHE1cMVuaeTQ61pcXpMEfDhbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVl0xJYpUYHUXxD3K0zl4TbcgpVOljSfZM0vkQAHwTm54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHfRVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJogk_gntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRD7SMyhvnVe4Bj-%26as%3DS-2012888342%253A160116957872%23 [following]
--2020-09-26 19:19:38-- https://accounts.google.com/AccountChooser?oauth=1&continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSk6oHE1cMVRfegIuaeTQ61pcXpMEfD2FXah02IAjg5GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXzl4TbcgpVOljSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHfRVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBpABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJogk_gntcEiG2489OMNwFAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601169578900872%23
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSkE1cMVRIuaeTQ61ppMEfD2FXahbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgs_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXxD3K0zl4TbcgpVOljSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OJ8HiHBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uMHfyX9KJntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601178900872%23&sacu=1&oauth=1&rip=1 [following]
--2020-09-26 19:19:39-- https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26part%3DAJi8hAPSk6ogIuaeTQ61pcXpMEfD2FXahbxN02IAjg5jH0GYWG7yCVc5EC9ug_kuK3j7hUBGCiY_q_SGL-0xSPDtiliIthwpmOTvP_MV5upFvDdYTpTTlraXSxx_7f8vhJteA8UjJoKSqgeUvFWns_BdFn8z73XALchawMrWA1vVXbAl0xJYpUYHUXxD3K0zl4jSfZM0vkQAHwTmhD54OjNiw51GTMCJAwiGwh_ANodLXY1n07UrO6-AgJ1pEeRksrlKs-O2W2Az1Fj4QWMej3OVlBt8c8zStbROoFMIce9ldHm5FF-l54b3xQcBp4xLi6ABqcrciv_Y0TAFuuwwotfgqrl1_uKJogk_gntcEiG2489OMNwFinOVAPUCg1Z-gn-ps7g_oBl4MB-FzsIiVpfyy_qRDBteJ7SMyhvnVe4Bj-%26as%3DS-2012888342%253A1601169578900872%23&sacu=1&oauth=1&rip=1
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘dashboard.1’
dashboard.1 [ <=> ] 58.82K --.-KB/s in 0.03s
2020-09-26 19:19:39 (1.64 MB/s) - ‘dashboard.1’ saved [60236]
The Docker log says:
level=debug msg="Remote error http://oauth:4181. StatusCode: 307"
middlewareType=ForwardedAuthType middlewareName=middlewares-oauth#file
This is my docker-compose.yml file:
version: "3.3"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
traefik:
container_name: traefik
image: traefik:chevrotin # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
# - --api.insecure=true
# - --serversTransport.insecureSkipVerify=true
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
# networks:
# t2_proxy:
# ipv4_address: 192.168.90.254 # You can specify a static IP
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules
- /var/run/docker.sock:/var/run/docker.sock:ro
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- $DOCKERDIR/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.tls=true"
# - "traefik.http.routers.traefik-rtr.tls.certResolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
# - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
# - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
## Services - API
- "traefik.http.routers.traefik-rtr.service=api#internal"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth#file"
# Google OAuth - Single Sign On using OAuth 2.0
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth:latest
restart: unless-stopped
networks:
- t2_proxy
security_opt:
- no-new-privileges:true
environment:
- CLIENT_ID=$GOOGLE_CLIENT_ID
- CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
- SECRET=$OAUTH_SECRET
- COOKIE_DOMAIN=$DOMAINNAME
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.$DOMAINNAME
- URL_PATH=/_oauth
- WHITELIST=$MY_EMAIL
- LOG_LEVEL=debug
- LOG_FORMAT=text
- LIFETIME=2592000 # 30 days
- DEFAULT_ACTION=auth
- DEFAULT_PROVIDER=google
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.oauth-rtr.entrypoints=https"
- "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
- "traefik.http.routers.oauth-rtr.tls=true"
## HTTP Services
- "traefik.http.routers.oauth-rtr.service=oauth-svc"
- "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"
## Middlewares
- "traefik.http.routers.oauth-rtr.middlewares=chain-oauth#file"
Finally, the end of my middlewares.toml file looks like this:
[http.middlewares.middlewares-oauth]
[http.middlewares.middlewares-oauth.forwardAuth]
address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
trustForwardHeader = true
authResponseHeaders = ["X-Forwarded-User"]
I searched around and checked everything I found already suggested but no luck. Seems like it's gotta be something small though.
In Cloudflare, I changed oauth.mydomain.com from "Proxied" to "DNS Only" and now I am no longer getting redirected.