Can't create any resources in admin behind a HA Proxy

[davidb-e4s]

Can't create any resources in admin behind a HA Proxy

Description

I've put the FA service behind a HA reverse proxy with SSL termination. I can login to the console and view everything but as soon as I try to create a tenant/user anything it says I don't have permission to do it (even though I'm admin). It works if I access the box directly.

This sort of thing is normally header related what headers do I need to provide. Note FA is still operating over HTTP behind the proxy.

[robotdan]

The symptom you describe sounds like your browser is not session pinned to a particular node. When you place FusionAuth behind a proxy, you'll need to session pin based upon the URL path.

In the Two Servers section of the server layout guide, the session pinning strategy is outlined.
https://fusionauth.io/docs/v1/tech/installation-guide/server-layout

In this scenario FusionAuth should be placed behind a load balancer to utilize both services equally. Session pinning should be utilized to support stateful sessions to FusionAuth. API connections to the FusionAuth App are stateless and do not require session pinning. All URLs beginning with /api/ will be API requests and should not be session pinned.

What type of proxy are you using?

[davidb-e4s]

Hey,

Well I'm only running 1 instance of FA at the moment so it will always go to the same one.

We're using HA Proxy

[robotdan]

Ah, ok good to know. Ok, my second guess will be better.

It sounds like you're only seeing this when you submit a form. During POST requests we perform CSRF validation. To ensure you pass this validation, ensure the following:

• The Origin HTTP header is being set by the proxy, or as a fallback we'll also use the Referer header.
• The X-Forwarded-Proto header is set to ensure that FusionAuth knows the incoming request was https even though behind the SSL termination it will be http.
• The X-Forwarded-Host header is set if this changes from a DNS name to a localhost (for example) behind the proxy
• The X-Forwarded-Port is set using non-standard parts such as 80 or 443.

If all of those are true, FusionAuth should be able to detect the correct URL and compare that to the Origin or Referer header to ensure the request is not malicious.

My guess is that you're missing the X-Forwarded- headers. This guide may be useful.
https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04

[robotdan]

@davidb-e4s were you able to get past this issue by adding these X-Forwarded- headers?

[davidb-e4s]

Hi Dan, I've not had a chance to look at this yet. I'll pick it up Monday and let you know! Thanks

…

On Fri, 12 Apr 2019, 04:34 Daniel DeGroff, ***@***.***> wrote: @davidb-e4s <https://github.com/davidb-e4s> were you able to get past this issue by adding these X-Forwarded- headers? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#112 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AqWMU1okZX3Pb0uvAQTFnGDSMeTSDIDHks5vf_7KgaJpZM4cmel0> . On Fri, 12 Apr 2019, 04:34 Daniel DeGroff, ***@***.***> wrote: @davidb-e4s <https://github.com/davidb-e4s> were you able to get past this issue by adding these X-Forwarded- headers? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#112 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AqWMU1okZX3Pb0uvAQTFnGDSMeTSDIDHks5vf_7KgaJpZM4cmel0> .

[davidb-e4s]

Hi Dan,

Just an update I've been swamped but hoping to look at this early this week.

Thanks

[robotdan]

Thanks for the update @davidb-e4s , let us know if you run into issues. In version 1.6.0 you should see a large warning on the dashboard page if the we detect X-Forwarded- headers are necessary and are missing.