Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help with Traefik and Authelia #280

Open
Pauld-1 opened this issue Sep 18, 2023 · 4 comments
Open

Help with Traefik and Authelia #280

Pauld-1 opened this issue Sep 18, 2023 · 4 comments

Comments

@Pauld-1
Copy link

Pauld-1 commented Sep 18, 2023
edited
Loading

Hello,

I'll be grateful for assistance please.

I have Traefik and Authelia up and running. Using a basic WhoAmI service, the user name is provided in the header as "Remote-User: paul" as below (url's and IP redacted).

IP: 127.0.0.1
IP: 172.18.0.3
RemoteAddr: 172.18.0.4:36928
GET / HTTP/1.1
Host: whoami.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Cdn-Loop: cloudflare
Cf-Connecting-Ip: redacted
Cf-Ipcountry: GB
Cf-Ray: 808913071a7071fe-LHR
Cf-Visitor: {"scheme":"https"}
Cookie: cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^
Dnt: 1
Referer: https://login.redacted.com/
Remote-Name: paul
Remote-User: paul
Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.70.91.58
X-Forwarded-Host: whoami.redacted.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: a4229f013d36
X-Real-Ip: 172.70.91.58

This is the section from my Home Assistant configuration.yaml

http:
 use_x_forwarded_for: true
 trusted_proxies:
    - 172.0.0.0/8
    - 192.168.1.11/32 # This needs to be set to the IP of your reverse proxy
 auth_header:
    username_header: Remote-User

however in the debug log below (url's and IP redacted), Remote-User doesn't appear in the header and unsurprisingly "No header set" and "no matching user found" errors then occur

2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (UrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (FastUrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Add new login_flow route
2023-09-18 11:57:54.387 DEBUG (MainThread) [custom_components.auth_header] Injected auth_header provider
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('Host': 'ha.redacted.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36', 'Content-Length': '135', 'Accept': '*/*', 'Accept-Encoding': 'gzip', 'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8', 'Cdn-Loop': 'cloudflare', 'Cf-Connecting-Ip': 'redacted', 'Cf-Ipcountry': 'GB', 'Cf-Ray': '8089121bcd4771fe-LHR', 'Cf-Visitor': '{"scheme":"https"}', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^', 'Dnt': '1', 'Origin': 'https://ha.redacted.com', 'Sec-Ch-Ua': '"Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'X-Forwarded-For': '172.70.91.58', 'X-Forwarded-Host': 'ha.redacted.com', 'X-Forwarded-Port': '443', 'X-Forwarded-Proto': 'https', 'X-Forwarded-Server': 'a4229f013d36', 'X-Real-Ip': '172.70.91.58')>
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.1.11
2023-09-18 11:57:54.650 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header.headers] no matching user found

thanks in advance
@BeryJu
Copy link
Owner

BeryJu commented Sep 18, 2023

add this to your settings

logger:
    default: info
    logs:
        custom_components.auth_header: debug

with that you'll see a log of all headers

@Pauld-1
Copy link
Author

Pauld-1 commented Sep 18, 2023

add this to your settings

logger:
    default: info
    logs:
        custom_components.auth_header: debug

with that you'll see a log of all headers

Thanks, I have done that and the debug log from Home Assistant is at the end of my first post, here's the formatted Home Assistant debug header which may be easier to read

2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
'Host': 'ha.redacted.com', 
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36', 
'Content-Length': '135', 
'Accept': '*/*', 
'Accept-Encoding': 'gzip', 
'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8', 
'Cdn-Loop': 'cloudflare', 
'Cf-Connecting-Ip': 'redacted', 
'Cf-Ipcountry': 'GB', 
'Cf-Ray': '8089121bcd4771fe-LHR', 
'Cf-Visitor': '{"scheme":"https"}', 
'Content-Type': 'text/plain;charset=UTF-8', 
'Cookie': 'cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^', 
'Dnt': '1', 
'Origin': 'https://ha.redacted.com', 
'Sec-Ch-Ua': '"Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"', 
'Sec-Ch-Ua-Mobile': '?0', 
'Sec-Ch-Ua-Platform': '"Windows"', 
'Sec-Fetch-Dest': 'empty', 
'Sec-Fetch-Mode': 'cors', 
'Sec-Fetch-Site': 'same-origin', 
'X-Forwarded-For': '172.70.91.58', 
'X-Forwarded-Host': 'ha.redacted.com', 
'X-Forwarded-Port': '443', 
'X-Forwarded-Proto': 'https', 
'X-Forwarded-Server': 'a4229f013d36', 
'X-Real-Ip': '172.70.91.58'
)>

"Remote-User: paul" doesn't appear

@aroberts
Copy link

it looks like Home Assistant is not behind Authelia- the remote-user headers are not being added. Did you perhaps forget to add your Authelia middleware to your Home Assistant configuration in Traefik?

@DennisGaida
Copy link

Same problem, but I figured it out @Pauld-1.

When you are not logged into Authelia, the headers are not forwarded (kind of obvious). Unfortunately hass-auth-header doesn't forward (or is this traefik?) to the authentication backend (i.e. Authelia) to log in and just responds with an error.

After manually logging in to Authelia, I get the Remote-User header in hass-auth-header and I am logged in to HA. I'm not sure why you get different results for the WhoAmI image and HA - I can repo the same behavior with WhoAmI: No Remote-User header when not logged in (and no forward to the authentication backend) - after logging in to Authelia in the same browser session I get the authentication headers.

Note: I tried both the one_factor policy and the two_factor policy in Authelia for the authentication headers to work. Both work, but the process is always to first manually login.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aroberts @BeryJu @DennisGaida @Pauld-1