Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted IP's broken...? #375

Open
IngwiePhoenix opened this issue May 12, 2024 · 0 comments
Open

Trusted IP's broken...? #375

IngwiePhoenix opened this issue May 12, 2024 · 0 comments

Comments

@IngwiePhoenix
Copy link

Hello there!

I have been trying to make IP whitelisting work, but have not been successful.

Here is the whole deployment:

apiVersion: v1
kind: Namespace
metadata:
  name: traefik-auth
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: auth-cm
  namespace: traefik-auth
data:
  TRUSTED_IP_ADDRESS: 192.168.1.0/24,100.64.0.0/24
  AUTH_HOST: auth.birb.it
  COOKIE_DOMAIN: birb.it
  LOG_LEVEL: debug
  LOG_FORMAT: pretty
---
apiVersion: v1
kind: Secret
metadata:
  name: oidc-creds
  namespace: traefik-auth
type: Opaque
stringData:
  DEFAULT_PROVIDER: oidc
  SECRET: <snip>
  PROVIDERS_OIDC_ISSUER_URL: https://keycloak.birb.it/realms/master
  PROVIDERS_OIDC_CLIENT_ID: <snip>
  PROVIDERS_OIDC_CLIENT_SECRET: <snip>
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth-app
  namespace: traefik-auth
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: app
          image: thomseddon/traefik-forward-auth:2-arm64
          args:
            - --rule.homelab.action=allow
            - --rule.homelab.rule=ClientIP(`192.168.1.0/24`)
          ports:
            - containerPort: 4181
              protocol: TCP
          envFrom:
            - secretRef:
                name: oidc-creds
            - configMapRef:
                name: auth-cm
---
apiVersion: v1
kind: Service
metadata:
  name: auth-svc
  namespace: traefik-auth
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: 4181
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-trm
  namespace: traefik-auth
spec:
  forwardAuth:
    # workaround; traefik's dns ignores search domains...
    address: http://auth-svc.traefik-auth.svc.kube.birb.it:4181
    trustForwardHeader: true
    authResponseHeaders:
      - X-Forwarded-User
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: auth-ir
  namespace: traefik-auth
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.birb.it`)
      kind: Rule
      services:
        - name: auth-svc
          port: auth-http
          #passHostHeader: true
          #scheme: http

In the logs, I can see the request arriving and even showing the correct IP; and yet, it yeets the request to Keycloak.

time="2024-05-12T17:26:59Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=router.birb.it method=GET proto=https rule=default source_ip=192.168.1.4 uri=/
time="2024-05-12T17:26:59Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=c5dd67ee78e3fa4c824dca83a41b3f2c; Path=/; Domain=birb.it; Expires=Mon, 13 May 2024 05:26:59 GMT; HttpOnly; Secure" handler=Auth host=router.birb.it login_url="https://keycloak.birb.it/realms/master/(...snip...)" method=GET proto=https rule=default source_ip=192.168.1.4 uri=/

The "homelab" Rule I tried to use, gets completely ignored (but is loaded), and the initial config object being printed also does not seem to include the IP whitelist, too.

{
  "LogLevel": "debug",
  "LogFormat": "pretty",
  "AuthHost": "auth.birb.it",
  "CookieDomains": [
    {
      "Domain": "birb.it",
      "DomainLen": 7,
      "SubDomain": ".birb.it",
      "SubDomainLen": 8
    }
  ],
  "InsecureCookie": false,
  "CookieName": "_forward_auth",
  "CSRFCookieName": "_forward_auth_csrf",
  "DefaultAction": "auth",
  "DefaultProvider": "oidc",
  "Domains": null,
  "LifetimeString": 43200,
  "LogoutRedirect": "",
  "MatchWhitelistOrDomain": false,
  "Path": "/_oauth",
  "Whitelist": null,
  "Providers": {
    "Google": {
      "ClientID": "",
      "Scope": "",
      "Prompt": "select_account",
      "LoginURL": null,
      "TokenURL": null,
      "UserURL": null
    },
    "OIDC": {
      "IssuerURL": "https://keycloak.birb.it/realms/master",
      "ClientID": "/* snip */",
      "Resource": "",
      "Config": { /* snip */ },
        "RedirectURL": "",
        "Scopes": [
          "openid",
          "profile",
          "email"
        ]
      }
    },
    "GenericOAuth": {
      "AuthURL": "",
      "TokenURL": "",
      "UserURL": "",
      "ClientID": "",
      "Scopes": [
        "profile",
        "email"
      ],
      "TokenStyle": "header",
      "Resource": "",
      "Config": null
    }
  },
  "Rules": {
    "homelab": {
      "Action": "allow",
      "Rule": "ClientIP(`192.168.1.0/24`)",
      "Provider": "oidc"
    }
  },
  "Lifetime": 43200000000000,
  "CookieDomainsLegacy": null,
  "CookieSecureLegacy": "",
  "ClientIdLegacy": "",
  "PromptLegacy": ""
}

Is there anything else I missed?

Thanks and kind regards,
Ingwie
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@IngwiePhoenix