Forward Proxy: Unable to find remote user

🔍 Check for existing issues

[X] Completed

How is Dozzle deployed?

Standalone Deployment

📦 Dozzle version

8.0.5

🐛 Describe the bug / provide steps to reproduce it

Enabling Forward-Proxy results in the following error:

level=errormsg=Unable to find remote user. Please check your proxy configuration. Expecting headers 
Remote-Email, Remote-User, Remote-Name.

Have set the headers for Authentik:

    environment:
      DOZZLE_AUTH_PROVIDER: forward-proxy
      DOZZLE_AUTH_HEADER_USER: X-authentik-username
      DOZZLE_AUTH_HEADER_EMAIL: X-authentik-email
      DOZZLE_AUTH_HEADER_NAME: X-authentik-name

The odd thing is that when I go Dozzle, it does re-direct me to Authentik and allow me to sign in, and then goes to Dozzle's dashboard. Don't seem to have an issue with that. And if I kill my authentik cookies, it'll redirect me back to sign in for Dozzle through Authentik as it normally should.

I went to Authentik's docs just to double confirm the header values, and they seem correct.

💻 Environment

Client: Docker Engine - Community
 Version:    27.0.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.15.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.28.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 29
  Running: 26
  Paused: 0
  Stopped: 3
 Images: 49
 Server Version: 27.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-41-generic
 Operating System: Ubuntu 23.10
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 31.61GiB
 Name: x.internal.dev
 ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

📸 If applicable, add screenshots to help explain your bug

No response

📜 If applicable, attach your Dozzle logs. You many need to enable debug mode. See https://dozzle.dev/guide/debugging.

level=infomsg=Dozzle version v8.0.5
level=debugmsg=filterArgs = {map[]}
level=debugmsg=Creating a client with host: ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local
level=debugmsg=connected to local Docker Engine
level=infomsg=Connected to 1 Docker Engine(s)
level=debugmsg=subscribing to docker events from container store ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local
level=infomsg=Accepting connections on :8080
level=debugmsg=finding container with id: 546f1bb11c26
level=debugmsg=finding container with id: 1ab4def5eb59
level=debugmsg=finding container with id: 554fec0f9251
level=debugmsg=finding container with id: af5bf8d3f471
level=errormsg=Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name.
level=debugmsg=Cache miss for []releases.Release

You missed an important debug that should spit out all the headers at the end. You should see Dumping all headers for url.

Do you see X-authentik-username in those logs?

Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name

That log is hard coded so you'll have to see the headers to further understand what is happening. I won't have time to setup authentik though.

I just checked the logs again, there's definitely no Dumping all headers for url in the logs. I checked using Dozzle, Portainer, and then also manually checked the log files.

Also did a fresh restart on Dozzle, still doesn't show that particular message.

Went through the logs again and no, I don't see X-authentik-username being mentioned. I figured the error message was hard-coded though, because from all examples I can find, the headers have been properly declared as an env var.

Is their another specific setting that must be enabled to get the Dumping all headers error? I'll go back and mess with it more, but 100% don't see that message printed anywhere in the logs. Both before and after some restarts.

Edit: I went back and did a search through your issues for other people with the error, and I do see where they pasted what you're mentioning, but I definitely don't have that message in mine. Another user also mentioned adding the health check, so I ensured mine did have the health check and it does

    healthcheck:
      test: [ "CMD", "/dozzle", "healthcheck" ]
      interval: 3s
      timeout: 30s
      retries: 5
      start_period: 30s

jsK4Rha3Hv

If I compare what I see in my log for debugs, with things others have posted in this issues section, I don't see about 50% of what they're seeing. No headers being spit out.

My log is very basic. This is what it looks like a brand new fresh restart:

level=debug msg="runtime mem stats" allocated="7.6 MB" routines=112 system="30 MB" totalAllocated="4.9 GB"
level=info msg="shutting down gracefully, press Ctrl+C again to force"
level=debug msg="shutdown complete"
level=warning msg="Unexpected environment variable DOZZLE_CONTAINER_NAME"
level=warning msg="Unexpected environment variable DOZZLE_LOG_LEVEL"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_GROUP"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_ENABLED"
level=warning msg="Unexpected environment variable DOZZLE_PORT_MAIN"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_REFRESH_FREQ"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_THEME"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_SHOW_DETAILS"
level=warning msg="Unexpected environment variable DOZZLE_IMAGE"
level=warning msg="Unexpected environment variable DOZZLE_IP"
level=warning msg="Unexpected environment variable DOZZLE_SERVICE_NAME"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_SESSION_DUR"
level=warning msg="Unexpected environment variable DOZZLE_SUBDOMAIN"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_TRAEFIK_ENABLED"
level=warning msg="Unexpected environment variable DOZZLE_TRAEFIK_ENABLED"
level=warning msg="Unexpected environment variable DOZZLE_SABLIER_NAME"
level=warning msg="Unexpected environment variable DOZZLE_PROT_MAIN"
level=warning msg="Unexpected environment variable DOZZLE_TAG"
level=info msg="Dozzle version v8.0.5"
level=debug msg="filterArgs = {map[]}"
level=debug msg="Creating a client with host: ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local"
level=debug msg="connected to local Docker Engine"
level=info msg="Connected to 1 Docker Engine(s)"
level=debug msg="subscribing to docker events from container store ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local"
level=info msg="Accepting connections on :8080"
level=error msg="Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name."
level=debug msg="finding container with id: e078efed9d7a"
level=debug msg="finding container with id: 1730bf30e099"
level=debug msg="finding container with id: 54af1bb11c26"
level=debug msg="finding container with id: 4f23fa177489"
level=debug msg="finding container with id: cd3067e78970"
level=debug msg="finding container with id: 87d5a4dee373"
level=debug msg="finding container with id: 8258a685fd43"
level=debug msg="finding container with id: 006ace1d3247"
level=debug msg="finding container with id: 5162aac6bebf"
level=debug msg="finding container with id: 084897e32151"
level=debug msg="finding container with id: 843617e6068e"
level=debug msg="finding container with id: f99e79815ab5"
level=debug msg="finding container with id: bab9bf8c40ae"
level=debug msg="finding container with id: 7ef72bb7836c"
level=debug msg="finding container with id: 7ee4d8c5e059"
level=debug msg="finding container with id: d7e1640459d5"
level=debug msg="finding container with id: 363e791e1a6f"
level=debug msg="finding container with id: 4ff0873a218b"
level=debug msg="finding container with id: 5e0b99098759"
level=debug msg="finding container with id: cc5bf8038e71"
level=debug msg="finding container with id: e80fd367bdaa"
level=debug msg="finding container with id: 92cb923b2ce6"
level=debug msg="finding container with id: c5b4ac318571"
level=debug msg="finding container with id: 8240020f9451"
level=debug msg="finding container with id: 8396d50bfaa9"
level=debug msg="finding container with id: 13fee2179cb0"
level=debug msg="finding container with id: b3dafd2b4e35"
level=debug msg="finding container with id: 5ab912a2a161"
level=debug msg="finding container with id: a1775f105a4d"
level=debug msg="health status for container 084897e32151 is healthy"

That is my log right after a fresh restart. From shutdown to loading. Tried to make the text all fit on the image, so I apologize if this is super small:

jTuL4rTll4

Here's the very top of the logs so you don't have to fight with the gif:

zPC5FkpOtC

The odd thing is that when I go Dozzle, it does re-direct me to Authentik and allow me to sign in, and then goes to Dozzle's dashboard. Don't seem to have an issue with that. And if I kill my authentik cookies, it'll redirect me back to sign in for Dozzle through Authentik as it normally should.

I think I misunderstood something. So it is redirecting you and you do see Dozzle's dashboard after signin. Is that right?

Are you just asking why there is a log level=errormsg=Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name ?

Sorry, if I am not understanding something here. From the logs, I don't see anything broken since the logs are being loaded.

Although it is weird that the only code that throws that exception is at https://github.com/amir20/dozzle/blob/01afadd410bcb5e0e8e866e622a4afd14e31e009/internal/web/index.go#L72 which would mean it should dump out all the logs.

Something not making sense here 😂

Oh, sorry. Yes, I am just reporting the error, because it doesn't make sense that it's throwing that error, yet from what I can see, it "appears" that Dozzle is working fine. I can sign in to Dozzle with Authentik, use Dozzle, etc.

Was just wondering if this has some unknown side effect I'm just not seeing yet.

I think I misunderstood something. So it is redirecting you and you do see Dozzle's dashboard after signin. Is that right?

Yes.

Are you just asking why there is a log level=errormsg=Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name ?

Yes

But now I'm also wondering why my logs look so simple, but other users are getting headers being dumped, and can see much more at startup.

I looked over a few other reported issues, and some of those people have a lot more to their logs than I do.

Of course, if I leave Dozzle run for awhile, I do get other debug logs, but nothing like you pointed out before

level=debugmsg=context done, closing event stream
level=debugmsg=context cancelled
level=debugmsg=runtime mem statsallocated=6.3 MBroutines=104system=26 MBtotalAllocated=1.7 GB
level=debugmsg=resetting timer for container stats collector ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local
level=debugmsg=starting to stream stats for: a1775f105a4d
level=debugmsg=subscribing to docker events from stats collector ID: 2fa042bc-e2d8-13fa-ef1a-5c726a423537, Endpoint: local
level=debugmsg=Cache miss for []releases.Release
level=debugmsg=streaming logs for containerid=1ce9eba0b4cbsince=2024-07-17 06:08:55.878596099 +0000 UTCstdType=all

And these logs are coming directly from Dozzle's interface.

And then what you've pasted in your code confuses me even more, because the line you have been referring to is on the very next line of the error print

log.Error("Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name.")
log.Debugf("Dumping all headers for url /%s", req.URL.String())

So I don't see how I'm missing it.

The only thing I can think of that may be semi weird is that I'm loading all of my env vars using a .env file, and I noticed when I first boot Dozzle up, it throws a list of errors at the top

level=warningmsg=Unexpected environment variable DOZZLE_SERVICE_NAME
level=warningmsg=Unexpected environment variable DOZZLE_CONTAINER_NAME

I assume it's trying to load everything in my .env file:

DOZZLE_CONTAINER_NAME=dozzle
DOZZLE_SERVICE_NAME=dozzle
DOZZLE_IMAGE=amir20/dozzle
DOZZLE_TAG=latest
DOZZLE_PORT_MAIN=8080
DOZZLE_PROT_MAIN=http
DOZZLE_TRAEFIK_ENABLED=true
DOZZLE_ENABLE_ACTIONS=true
DOZZLE_LOG_LEVEL=debug
DOZZLE_AUTH_PROVIDER=forward-proxy
DOZZLE_AUTH_HEADER_USER=X-authentik-username
DOZZLE_AUTH_HEADER_EMAIL=X-authentik-email
DOZZLE_AUTH_HEADER_NAME=X-authentik-name

But I'm really stretching here pointing that out, considering Dozzle is showing the other debugs fine.

Nope. I just made a bunch of edits to my docker-compose. I hard-coded all the needed env vars

    environment:
      - DOZZLE_ENABLE_ACTIONS=true
      - DOZZLE_AUTH_PROVIDER=forward-proxy
      - DOZZLE_AUTH_HEADER_USER=X-authentik-username
      - DOZZLE_AUTH_HEADER_EMAIL=X-authentik-email
      - DOZZLE_AUTH_HEADER_NAME=X-authentik-name
      - DOZZLE_LEVEL=debug

I tried completely removing the healthcheck just for extra testing, all I'm doing is making my logs shorter and shorter.

Once I get fully awake, I'm going to install docker, authentik, and dozzle on a test VM with fresh configs, and see if I get the same result.

I wasn't able to reproduce this. I tested with nginx using:

events {}
http {
    server {
        listen 9009;

        location / {
            proxy_pass http://localhost:8080;
            proxy_set_header X-authentik-username amir;
            proxy_set_header X-authentik-email amir@example.com;
            proxy_set_header X-authentik-name "Amir Raminfar";
        }
    }
}

With compose:

services:
  dozzle:
    image: amir20/dozzle:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 8080:8080
    environment:
      DOZZLE_AUTH_PROVIDER: forward-proxy
      DOZZLE_AUTH_HEADER_USER: X-authentik-username
      DOZZLE_AUTH_HEADER_EMAIL: X-authentik-email
      DOZZLE_AUTH_HEADER_NAME: X-authentik-name
      DOZZLE_LEVEL: debug

I see the logs with no error:

dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="Fetching avatar from https://gravatar.com/avatar/6111b1e9fad82ba4a9e3d3e80a644126?d=https%3A%2F%2Fui-avatars.com%2Fapi%2F/Amir+Raminfar/128"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="resetting timer for container stats collector ID: ivkagb8ir869qgj2ft73t2fbg, Endpoint: local"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="starting to stream stats for: a395f7e38baa"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="subscribing to docker events from stats collector ID: ivkagb8ir869qgj2ft73t2fbg, Endpoint: local"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="starting to stream stats for: f0a366ce21ec"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="starting to stream stats for: e0776249d72f"
dozzle-1  | time="2024-07-18T15:55:05Z" level=debug msg="Cache miss for []releases.Release"

Then if I hit Dozzle directly:

dozzle-1  | time="2024-07-18T15:57:04Z" level=error msg="Unable to find remote user. Please check your proxy configuration. Expecting headers Remote-Email, Remote-User, Remote-Name."
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Dumping all headers for url /"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="User-Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Accept: [text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Fetch-Site: [none]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Accept-Encoding: [gzip, deflate, br, zstd]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Ch-Ua-Mobile: [?0]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Connection: [keep-alive]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Dnt: [1]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Upgrade-Insecure-Requests: [1]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Fetch-User: [?1]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Fetch-Dest: [document]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Ch-Ua: [\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\"]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Ch-Ua-Platform: [\"macOS\"]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Sec-Fetch-Mode: [navigate]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Accept-Language: [en-US,en;q=0.9]"
dozzle-1  | time="2024-07-18T15:57:04Z" level=debug msg="Cookie: [_ga=GA1.1.1053226785.1715118569; _ga_X3Z4496XFK=GS1.1.1715181566.2.1.1715181828.0.0.0]"

So maybe you help reproduce it without setting up Authentik because that's a little too much for me to do.

Alright, I'll throw up Nginx.

What specific action triggers the Dumping all headers for url message?

According to the code, all you're doing is just checking for FORWARD_PROXY

} else if h.config.Authorization.Provider == FORWARD_PROXY {

So I should be able to simply set my proxy type to forward-proxy and I should be setting those messages? Or is it also combined with a bad header name that doesn't exist?:

DOZZLE_AUTH_HEADER_USER: something-that-doesnt-exist

@Aetherinox

What specific action triggers the Dumping all headers for url message?

Loading the homepage will load index.go file which should print the headers.

So I should be able to simply set my proxy type to forward-proxy and I should be setting those messages? Or is it also combined with a bad header name that doesn't exist?:

It just prints all headers.

If you can just use something I can reproduce then it would be easier. I am not sure what is happening and why dumping all headers is not work for you.

Let me know if we should close this because I don't think there is a bug here.

Not sure what to do with this issue and nothing seems to be broken. So closing.

amir20 / dozzle