TraefIk Forward Auth Request URI - traefik

I am using Traefik's Foward Auth middleware to authenticate my requests.
The auth server is hosted at http://localhost/auth
The requests that I want to authenticate are from http://rooms.localhost/:roomId
For example, http://rooms.localhost/ed455783-1502-4c9e-a403-28e621d77fb4?token=qwerty is my request URL. Now the URL is forwarded to the auth server for authentication. But at the auth server, I am not able to see the requested URL or header like X-Forwarded-URI.
The headers which I can see are
{
host: 'localhost',
'user-agent': 'PostmanRuntime/7.26.3',
accept: '*/*',
'accept-encoding': 'gzip, deflate, br',
x-forwarded-for': '127.0.0.1',
'x-forwarded-host': 'localhost',
'x-forwarded-port': '80',
'x-forwarded-prefix': '/faa054d5-0fe3-435e-83cb-9b817177d495',
'x-forwarded-proto': 'http',
'x-forwarded-server': 'b35a8676b5a8',
'x-real-ip': '127.0.0.1'
}
So how should I get the requested URI in order to access the token?
Note that passing token in cookies or headers is not an option for me because the WebSocket connections are also needed to be authenticated.
Following are my traefik labels
- traefik.http.middlewares.faa054d5-0fe3-435e-83cb-9b817177d495-auth.forwardauth.address: http://localhost/auth
- traefik.http.middlewares.faa054d5-0fe3-435e-83cb-9b817177d495-stripprefix.stripprefix.prefixes: /faa054d5-0fe3-435e-83cb-9b817177d495
- traefik.http.routers.faa054d5-0fe3-435e-83cb-9b817177d495.middlewares: faa054d5-0fe3-435e-83cb-9b817177d495-stripprefix, faa054d5-0fe3-435e-83cb-9b817177d495-auth
- traefik.http.routers.faa054d5-0fe3-435e-83cb-9b817177d495.rule: Host(`rooms.localhost`) && PathPrefix(`/faa054d5-0fe3-435e-83cb-9b817177d495`)

I was able to solve this problem using
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.insecure

Related

IPFS Http Client Link Access without Token

I’m following the code here(https://infura.io/docs/ipfs#section/Authentication/Using-ipfs-http-client-in-JS 7) and I’m able to add to IPFS without the auth token in the header (my code below). How is this possible?
const client = create({
host: 'ipfs.infura.io',
port: 5001,
protocol: 'https',
});

Two sites same IIS server, RunImpersonation HttpClient passing empty NTLM credential

I have two sites on the same IIS instance. One uses HttpClient to request data from the other. They are both configured with Windows Authentication only. These are both ASPNET Core 3.1.
When I browse to the first site, it authenticates, but when it calls through to the other, it returns a 401. I validated that the user identity is correct.
var baseUri = new Uri(AppSettings.CurrentValue.MyBaseUrl);
var user = (WindowsIdentity)HttpContext.User.Identity;
WindowsIdentity.RunImpersonated(user.AccessToken, () =>
{
AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);
var credentialCache = new CredentialCache {{baseUri, "NTLM", CredentialCache.DefaultNetworkCredentials}};
var httpClientHandler = new HttpClientHandler {Credentials = credentialCache};
using HttpClient httpClient = new HttpClient(httpClientHandler) { BaseAddress = baseUri };
var response = httpClient.GetAsync("/home/test").Result;
var content = response.IsSuccessStatusCode
? response.Content.ReadAsStringAsync().Result
: response.StatusCode.ToString();
}
Wireshark shows the call into the first site, /home/test1, and shows the user credentials being passed correctly,
GET /home/test1 HTTP/1.1
HTTP/1.1 401 Unauthorized (text/html)
GET /home/test1 HTTP/1.1 , NTLMSSP_NEGOTIATE
HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
GET /home/test1 HTTP/1.1 , NTLMSSP_AUTH, User: COMPANY\fbloggs
The same trace shows the jump to the second site, /home/test2, and shows null domain and username,
GET /home/test2 HTTP/1.1
HTTP/1.1 401 Unauthorized (text/html)
GET /home/test2 HTTP/1.1 , NTLMSSP_NEGOTIATE
HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
GET /home/test2 HTTP/1.1 , NTLMSSP_AUTH, ** User: \ **
GET /home/test2 HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /home/test2 HTTP/1.1\r\n]
[GET /home/test2 HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /home/test2
Request Version: HTTP/1.1
Connection: Keep-Alive\r\n
Request-Id: |60fb71bd-482efe66c05094ec.1.\r\n
Host: testserver\r\n
Authorization: NTLM TlRMTVNTUAADAAAAAQDADEIAAAAAAAAAcwAAAAAAAABYAAAAAAAAAFgAAAAaABoAWAAzAAAABYqIogoAY0UAAAAPvaq0nk2I7YcqJmq01EbY20IASDTATGSAGVAALQBXAEUAQgAyADEAAA==\r\n
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: 00
NTLM Response: Empty
Domain name: NULL
User name: NULL
Host name: TESTSERVER
Session Key: Empty
Negotiate Flags: 0xa2888a05, Negotiate 56, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Negotiate Always Sign, Negotiate Anonymous, Negotiate NTLM key, Request Target, Negotiate UNICODE
Version 10.0 (Build 17763); NTLM Current Revision 15
Major Version: 10
Minor Version: 0
Build Number: 17763
NTLM Current Revision: 15
MIC: bdaab49e4d88ed872a266ab4d446d8db
HTTP/1.1 401 Unauthorized (text/html)

Axios not sending custom header during options request

I have a running Vue.js application that request to the server.
My client-side application is running on e.g. cms.abc.com and the server in ApiGee running on this dns server.abc.com
The request code using axios is
const headers = {
'x-api-key': 'xxxxx123123'
}
return axios({
method: get,
url: 'server.abc.com/items',
headers: headers
}).then(response => {
console.log(respnose.data)
})
When I check the browser network I'm getting status 401 Unauthorized during OPTIONS request.
The APIgee CORS has been enabled, but when I check the logs from the ApiGee the value for x-api-key is missing.
I'm also not sure why my client side application is still sending OPTIONS request. I'm expecting that it should skip the CORS since the client and the server are having the same origin. which is abc.com

Issue with set cookie headers from server and vue component vue-beautiful-chat

I have this issue on a Vue app, based on component vue-beautiful-chat: I make an http.post using http module via browser on localhost: when I check the response headers from the remote server, I see there are no "set-headers" with cookie values, only:
Content-Type application/json;charset=utf-8
If I send a post request via Node, Postman o cURL these are the response headers:
Connection keep-alive
Access-Control-Allow-Origin *
Set-Cookie JSESSIONID=wl6sCW6uT_9bAgoOSj9YtgfJvYGxF6XrNjH22YFm.srv79627; path=/
Server WildFly/10
Content-Type application/json;charset=utf-8
Content-Length 352
Date →Tue, 12 Mar 2019 22:33:25 GMT
In Vue app I receive
In the console developer I see in the tab application->cookies only one cookie saved on localhost.
Is this related to browser limitation? Any workaround?
I need to keep track of the value in set header from remote server for session management.
This is the actual code:
const options = {
hostname: 'XX.XX.XX',
port: 8080,
path: '/myurlsearch_2?searchText='+mess +'&user=&pwd=&ava=XXX',
method: 'POST',
rejectUnauthorized: false,
headers: {
'Cookie': this.$session.exists('JSESSIONID=') ? this.$session.get('JSESSIONID=') :''
// 'Access-Control-Allow-Credentials:true' -> this won't work
}
Thanks in advance

ember-simple-auth oauth2 authorizer issue

I am trying to set up authorization on an Ember App running on a Node.js server.
I am using the oauth2 Authenticator, which is requesting a token from the server. This is working fine. I am able to provide the app with a token, which it saves in the local-storage.
However, when I make subsequent requests, the authorizer is not adding the token to the header, I have initialized the authorizer using the method described in the documentation (http://ember-simple-auth.simplabs.com/ember-simple-auth-oauth2-api-docs.html):
Ember.Application.initializer({
name: 'authentication',
initialize: function(container, application) {
Ember.SimpleAuth.setup(container, application, {
authorizerFactory: 'authorizer:oauth2-bearer'
});
}
});
var App = Ember.Application.create();
And I have added an init method to the Authorizer, to log a message to the server when it is initialized, so I know that it is being loaded. The only thing is, the authorize method of the authorizer is never called.
It feels like I am missing a fundamental concept of the library.
I have a users route which I have protected using the AuthenticatedRouteMixin like so:
App.UsersRoute = Ember.Route.extend(Ember.SimpleAuth.AuthenticatedRouteMixin, {
model: function() {
return this.get('store').find('user');
}
});
Which is fetching the data, fine, and redirects to /login if no token is in the session, but the request headers do not include the token:
GET /users HTTP/1.1
Host: *****
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: *****
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Referer: *****
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Any help you could give me would be greatly appreciated.
Is your REST API served on a different origin than the app is loaded from maybe? Ember.SimpleAuth does not authorizer cross origin requests by default (see here: https://github.com/simplabs/ember-simple-auth#cross-origin-authorization)