-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do I configure CORS in Caddy security so that I can sign in less frequently? #90
Comments
@rubydotexe , thank you for the question! 👍 Here are some snippets relevant to your CORS configuration:
Please provide output of the following command. Let's see what headers it returns.
It would be very interesting how the |
Hello Mr. Greenburg! I appreciate your time very much. This is my Caddyfile now: {
order authenticate before respond
order authorize before basicauth
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
security {
oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}
authentication portal myportal {
enable identity provider github
ui {
links {
"My Website" https://example.com icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
password_recovery_enabled no
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
transform user {
match realm github
match sub github.com/rubydotexe
action add role authp/user
}
}
authorization policy users_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
(tls_config) {
tls {
dns googleclouddns {
gcp_project {env.GCP_PROJECT}
gcp_application_default {env.GCP_APPLICATION_DEFAULT}
}
}
}
(options) {
header Access-Control-Allow-Methods "POST, GET, OPTIONS"
@options {
method OPTIONS
}
respond @options 204
import cors https://example.com
import cors https://www.example.com
import cors https://auth.example.com
import cors https://dnd.example.com
import cors https://files.example.com
import cors https://neko.example.com
import cors https://5etools.example.com
import cors https://wiki.example.com
import cors https://orcpub.example.com
import cors https://cron.example.com
}
(cors) {
@origin{args.0} header Origin {args.0}
header @origin{args.0} Access-Control-Allow-Origin "{args.0}"
header @origin{args.0} Vary Origin
}
auth.example.com {
import tls_config
import options
authenticate with myportal
root * /usr/share/caddy
file_server
}
example.com {
import tls_config
import options
authorize with users_policy
reverse_proxy flame:5005
}
*.example.com {
import tls_config
import options
@dnd host dnd.example.com
handle @dnd {
authorize with users_policy
reverse_proxy foundry:30000
encode zstd gzip
}
@pub host orcpub.example.com
handle @dnd {
#authorize with users_policy
reverse_proxy orcpub:8890
route /homebrew.orcbrew {
root /homebrew.orcbrew /srv/orcpub
file_server
}
}
@cron host cron.example.com
handle @cron {
authorize with users_policy
reverse_proxy crontab-ui:8000
encode zstd gzip
}
@wiki host wiki.example.com
handle @wiki {
authorize with users_policy
reverse_proxy raneto:3000
}
@neko host neko.example.com
handle @neko {
authorize with users_policy
reverse_proxy neko:8080 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
@tools host 5etools.example.com
handle @tools {
authorize with users_policy
reverse_proxy 5etools:80
}
@files host files.example.com
handle @files {
authorize with users_policy
reverse_proxy filebrowser:80
}
# Fallback for otherwise unhandled domains
handle {
abort
}
}
And this is what I got in response to curl -v http://auth.example.com:
And just out of curiosity I curled HTTPS as well:
|
@rubydotexe , for testing, please do the following:
Then
|
@greenpau Here you go:
|
@rubydotexe , do you still get |
The console errors are at least slightly different, but I'm still having to login at short intervals.
|
@rubydotexe , please use Chrome and collect logs (HAR) from your session. Then, email them to me. |
@greenpau I have the exact same problem. I tried playing around with the CORS settings in my Caddyfile but to no avail. I have the HAR archive if you need it, what's your email ? |
@LeonardMeyer , greenpau|outlook.com |
Sent ! For context I have a Caddy container reverse proxying to subdomains pointing to several other containers . |
@greenpau Actually trying your last suggestion got me forward. I added the
I'm not fond of using the wildcard so I'll try with more specific headers (which seems not so straightforward), but it seems to work. |
@LeonardMeyer , you don't have to use wilcards. They are for testing only. Now, you can set whatever domain you need it to be. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
|
@greenpau Nevermind, it looked better because I saw some preflight requests going through but it just took longer to fail. Browser console is saying things like:
So this was the first error and it matches that page. Origin of the preflight request was I tested in another app and what I see is this (I have the HAR if needed) :
|
@greenpau After some tinkering I ended up with the same trick to fool preflight request as @rubydotexe, drawing inspiration from this, in order to avoid the preflight requests and redirect mess. This is my Caddyfile:
It might be bad, I'm pretty new at Caddy. With this I don't have any CORS errors anymore, but at some point it will trigger some random JS errors in the console specific to the app which failed. I can't make sense of the requests I'm seeing when one error occurs. See an example: First request
Second request
Third request
I don't understand why the first request is answered 302 ? Is this a caddy-security thing ? It looks like something expired and I have to authenticate again ? Last response body is the login page HTML by the way. Following that some JS is crashing in the console and the page just fails loading the view. |
I recommend creating two different routes. One for API endpoints and another one for non-API endpoint.
|
Thanks for your answer @greenpau
|
@LeonardMeyer , i totally misunderstood the above. You get 302 because authorizer did not find token, or it is expired. |
@greenpau Ok actually I just saw #24 and that was why it was expiring so fast. CORS issue are also solved (as in no console errors). There's just one minor thing that is bothering me... With my Caddyfile and what happens with the 3 request/response above when token expires, the redirection to login happens only if I refresh the page. Otherwise the current page just breaks but stays on. |
@LeonardMeyer , please elaborate. What is the desired behavior. P.S. you totally hijacked the issue 😄 next time, open a new one and reference the issue that is similar to yours. Just a suggestion. |
@greenpau My bad, I did have a CORS issue initially 😅 The desired behavior should be that the redirect actually work as soon as the token is expired. But maybe CORS and preflight request is messing with said redirect. |
@LeonardMeyer , did you have a chance to review this #24 (comment)? i.e. there is a difference between:
|
@greenpau Yes, as I said in my previous comment. Session lifespan is fine now. |
Hello again!
This is the behavior I'm having trouble with:
Basically, when I am using FoundryVTT the connection to my assets disconnect until I sign in the Caddy Security portal again. Problem is that this happens frequently. When I refresh the tab, I am sent to the auth portal, I sign in, and the problem is resolved for about less then five minutes where then the cycle repeats.
I checked the JS console log:
I think it has to do with my Caddy configuration? As you can see, I basically pulled things out of my bum and have no idea what I'm doing. I tried looking up examples for CORS in Caddy and I don't think I'm doing it right. If I'm doing something wrong (and I most certainly am) can someone provide an example of what it should look like?
The text was updated successfully, but these errors were encountered: