-
-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverse Proxy authentication trust doesn't work as expected #344
Comments
Sorry for responding so late, this slipped my attention. I haven't looked looked into proxy authentication that much, to be honest. Are there things in TimeTagger that we can do to resolve these issues? PR's welcome :) Also cc @Rynoxx @mtn-mathi @foorschtbar |
My first instinct would be to remove the X-Forwarded-For code from timetagger, trust the functionality in uvicorn and configure it automatically and/or document how to. Though I‘m not sure why it was added in the first place if uvicorn was always used, or, in which usecases it was tested, so we can make sure not to break these. |
For me, the current solution works at the moment. |
@foorschtbar Could you please describe the setup you’re using, the flags and env vars, and which headers are passed by your reverse proxy? |
@cfstras This config works for me in kuberenetes behind Authentik as the proxy-auth provider. But this might also be because authentik is using a custom header (X-authentik-username) for it and not a X-Forwarded-* header?
|
Ah, that explains it. Just checked the uvicorn code: https://github.com/encode/uvicorn/blob/87387273945624452c1f0e797bcf2a539b0c9211/uvicorn/middleware/proxy_headers.py#L28 The behavior there seems to only happen when the reverse proxy uses 127.0.0.1. It‘s not clear to me why setting it to * doesn’t trigger the bug for you though… Maybe the config is not getting through for some reason? IMO we either should disable that default in uvicorn, or just pass the TIMETAGGER_PROXY_AUTH_TRUSTED to the uvicorn middleware config instead of manual handling? |
I use Authelia (no setup needed for Timetagger) and Traefik: Treafik:
Timetagger:
|
Hm, @foorschtbar I‘d guess that in your case the traefik requests are coming to timetagger from 172.x.x.x, so you‘re not triggering this bug. |
I've come across two issues when looking at reverse proxy authentication:
This is mostly only an issue when f.ex. testing with localhost. As a workaround, one can use the LAN IP to access the proxy instead.
More importantly:
X-Forwarded-For
header. Combined with the functionality in timetagger, this will mangle/break the list of forwarded IPs for incoming requests, potentially even trusting fake headers sent by a client!To fix this, one has to
export FORWARDED_ALLOW_IPS=""
to disable the uvicorn parsing.See uvicorn docs.
For reference, I'm passing
The text was updated successfully, but these errors were encountered: