Login not possible behind reverse proxy

[mkavalecz]

Can you please give an example on how to use this application behind a reverse proxy? I've tried a lot of combinations, and none seem to work, I'm currently using this config:

location / {
        proxy_pass http://127.0.0.1:1624/;

        proxy_http_version 1.1;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

If I don't use the X-Forwarded-For header, the webfront always logins automatically as CONSOLE, otherwise I can't seem to login. It does reject invalid passwords, and seems to accept valid ones, but the menubar still shows the user as unauthenticated...

Any help would be appreciated.

[INSANEMODE]

Login does work behind a reverse proxy.

I would have to double check my config later to see if anything stands out that you are missing or need to change, but it would probably be a good idea to double check what happens on your browsers console when you attempt to login. That would usually give a good idea of what is going on.

I have seen this issue in the past, but I don't remember the details off the top of my head.

[mkavalecz]

I see the following happen:

• /Action/LoginAsync/?clientId=2&Password=password returns 302 Found, Location: /Account/LoginAsync?clientId=2&password=password
• /Account/LoginAsync?clientId=2&password=password returns 200 OK, and sets a Cookie: .AspNetCore.Cookies

Without proxy, the login works, with proxy, everything seems to happen the same, but I'm still not logged in.

[RaidMax]

It does work, but there is a special rule setup to give root access to local host IP https://github.com/RaidMax/IW4M-Admin/blob/release/pre/SharedLibraryCore/BaseController.cs#L82

This is to make it easy to administrate from the same machine IW4MAdmin is running on. There is also protection against accidentally proxying the console user on localhost which checks the X-Fowarded-For header.

Make sure to use either a different loopback address (eg 127.0.0.2), the internal (NAT) address or WAN address of the machine and you should be able to log in properly.

[mkavalecz]

Thank you! I changed to proxy_pass to my local (non-loopback) ip, and it works perfectly fine!

Sorry for raising an issue about this, but this was very much not clear for me, and I've proxied quite a lot of apps already... I've found the BaseController.cs, actually that's where I found that I need to add the X-Forwarder-For header to stop it from always logging in as the console user, but I still didn't understand the logic behind that code. Now that you've told me this, I do. :)

It might be a good idea to have like 1 line of wiki for this, but at least people who search the issues will now find your comment. :)

[RaidMax]

Closing this as resolved. I have added a note to the webfront bind url in the configuration wiki https://github.com/RaidMax/IW4M-Admin/wiki/Configuration#application

[mjkzy]

Late bump to this issue, but came across this last night. The fix I found was using proxy_bind in your headers. Also, making sure X-Forwarded-For IS DEFINED or people will have root (console) access.

Here's my configuration for nginx that works with IW4MAdmin: