Closed calmcacil closed 4 years ago
If you have the custom error pages configured correctly that is the default behavior after you click the "OK" button on the 401 error page.
error_page 401 https://domain.com/?error=$status&return=$scheme://$server_name$request_uri; error_page 400 402 403 404 405 408 502 503 504 https://domain.com/?error=$status; error_page 500 https://domain.com/?error=401&return=$scheme://$server_name$request_uri;
Custom errors are working fine, and such on the organizr container, but when trying to access any of the other containers using organizr as a forward auth, it just shows the standard google chrome 401 error.
For reference I'm testing using the example from the docs. https://docs.organizr.app/books/setup-features/page/serverauth
Looks like you need to set up error pages too: https://docs.traefik.io/configuration/commons/#custom-error-pages
I tried that already, no success. also if you access the api trough the link manually when not logged in it does not show the 401 error page so it seems 401 error pages are not working, 404 and the likes work as expected but 401 from the api shows the generic browser 401.
Did some further testing, and i got it to the point where it tries to show the login/custom error page, but instead shows a large blank white page with ` An Error Occured Close Error
Navigation `
If i were to guess, its trying to display proxy the error and login page, rather than redirecting to it.
Paste your config files
Hello, I'm quite interested to do that as well, but I really don't know how to do it with traefik. I don't have custom error pages either, I tried different things but as calmcacil it just shows the standard error.
By the way I'm using Traefik 2, so from what I read, we're supposed to use these labels now :
- "traefik.http.middlewares.test.errors.status=400-599"
- "traefik.http.middlewares.test.errors.service=organizr"
- "traefik.http.middlewares.test.errors.query=/{status}.html"
I found this which looks like you can set this in the traefik config itself. Maybe try setting it there? Since it's all subdomains the error pages need to know what the main domain/subdomain is to go to for the error pages since /?error={status}
isn't going to exist on anything but Organizr so the middleware probably isn't the right place to do it thinking further on it. https://www.reddit.com/r/Traefik/comments/89q2ln/traefik_custom_error_page_with_docker_swarm/
I tried in the TOML but it doesn't change anything. For traefik 2, the only way to get custom error pages is trough middlewares, cause that's the way it works now (I think so) but you can put the middleware in the toml or in the docker compose. What I tried is to put the middleware in organizr's labels and call this middleware from each service, but it doesn't work either.
Did some further testing, and i got it to the point where it tries to show the login/custom error page, but instead shows a large blank white page with ` An Error Occured Close Error
Navigation `
If i were to guess, its trying to display proxy the error and login page, rather than redirecting to it.
Same error here, this is the response:
Traefik is catching 401 correctly when accessing the pathprefix for the service:
... time="2019-09-23T20:06:52Z" level=error msg="Caught HTTP Status Code 401, returning error page" time="2019-09-23T20:06:52Z" level=error msg="Caught HTTP Status Code 401, returning error page" time="2019-09-23T20:06:52Z" level=error msg="Caught HTTP Status Code 401, returning error page" time="2019-09-23T20:06:52Z" level=error msg="Caught HTTP Status Code 401, returning error page" time="2019-09-23T20:06:53Z" level=error msg="Caught HTTP Status Code 401, returning error page"
Configuration: labels:
+1 for this. I can currently get the same as calmcacil. I can also get organizr to try and load, but I just get a spinning organizr loader.
By using an external address as my forwardauth, vs http://organizr, I can get it to catch the page and serve it but it won't fully load and therefore also won't redirect.
Rules.toml
[http.middlewares] [http.middlewares.errorpage] [http.middlewares.errorpage.errors] status = ["401","500-599"] service = "organizr@docker" query = "/?error={status}&redirect=https://mydomain.com" [http.middlewares.auth] [http.middlewares.auth.forwardAuth] address = "https://mydomain.com/api/?v1/auth&group=1" trustForwardHeader = true authResponseHeaders = ["X-Forwarded-User", "X-Auth-User", "X-Secret", "cookie"] [http.middlewares.secure-headers] [http.middlewares.secure-headers.headers] customFrameOptionsValue = "allow-from media.mydomain.com" contentSecurityPolicy = "upgrade-insecure-requests, frame-ancestors media.mydomain.com" referrerPolicy = "strict-origin-when-cross-origin" SSLRedirect = true STSSeconds = 315360000 browserXSSFilter = true contentTypeNosniff = true forceSTSHeader = true SSLHost = "media.mydomain.com" STSIncludeSubdomains = true STSPreload = true frameDeny = false [http.middlewares.secured] [http.middlewares.secured.chain] middlewares = ["auth", "errorpage", "secure-headers"]
Part of Compose-Stack.yml
organizr: hostname: organizr image: organizrtools/organizr-v2:latest volumes:
media.${DOMAINNAME}
)"radarr: image: linuxserver/radarr:latest hostname: radarr volumes:
media.${DOMAINNAME}
) && PathPrefix(/radarr
)"Any news on this ?
There may be a misunderstanding of how Traefik ForwardAuth works and why a code change to Organizr is required to enable the desired behavior. This can't be done just messing around with error pages. It can be done with error pages, just not very well.
https://docs.traefik.io/v2.0/middlewares/forwardauth/
If the service response code is 2XX, access is granted and the original request is performed. Otherwise, the response from the authentication server is returned.
If Organizr would add a Location header along with the 401 that redirects to the main/landing page, everything would work as expected. I tested this concept in the auth()
function of organizr-function.php
and it works. The example below isn't the right way to do it, just a proof of concept.
Replace:
!$debug ? exit(http_response_code(401)) : die("$userInfo Not Authorized");
With:
http_response_code(401);
header('Location: https://your.server/organizr/');
exit();
Edit: upon further reflection this could be done with Traefik errorpage redirects, but you would also have to modify Organizr's index page to use absolute URLs to load resources. It's far easier to modify the auth function to redirect.
Outside the scope of Organizr but, as a workaround, here's a PHP error page I whipped up that can be used while I think up a better way.
<?php
/**
* Errorpage handler for Traefik that redirects 401/403. Example Traefik labels:
*
* - "traefik.http.routers.<organizr router>.middlewares=<errorpage middleware name>"
* - "traefik.http.middlewares.<errorpage middleware name>.errors.status=400-401, 403-404, 500-503"
* - "traefik.http.middlewares.<errorpage middleware name>.errors.service=<traefik errorpage service>"
* - "traefik.http.middlewares.<errorpage middleware name>.errors.query=/?{status}"
*
* Redirects are being done with Javascript as location headers aren't making it through to the client.
*/
if (preg_match('/^\d{3}$/', $_SERVER['QUERY_STRING'])) { // only accept 3-digit numbers in the query
switch ($_SERVER['QUERY_STRING']) {
case "400":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Bad Request";
$error_text = "The server cannot process the request.";
break;
case "401":
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] && $_SERVER['HTTP_X_FORWARDED_HOST']) {
$redirect_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . '://' . $_SERVER['HTTP_X_FORWARDED_HOST'];
exit('<script type="text/javascript">window.location = "' . $redirect_url . '";</script>');
} else {
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Unauthorized";
$error_text = "Authorization is required.";
}
break;
case "403":
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] && $_SERVER['HTTP_X_FORWARDED_HOST']) {
$redirect_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . '://' . $_SERVER['HTTP_X_FORWARDED_HOST'];
exit('<script type="text/javascript">window.location = "' . $redirect_url . '";</script>');
} else {
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Forbidden";
$error_text = "Access is forbidden.";
}
break;
case "404":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Not Found";
$error_text = "The requested resource could not be found.";
break;
case "500":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Internal Server Error";
$error_text = "An unexpected condition was encountered.";
break;
case "501":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Not Implemented";
$error_text = "THe server did not recognize the request method.";
break;
case "502":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Bad Gateway";
$error_text = "Received an invalid response from the upstream server.";
break;
case "503":
$error_number = $_SERVER['QUERY_STRING'];
$error_title = "Service Unavailable";
$error_text = "The server is currently unavailable.";
break;
default:
$error_number = "?";
$error_title = "Unknown Error";
$error_text = "There was an error, but we don't know how to describe it.";
}
} else {
exit(); // exit silently if invalid or missing HTTP status code.
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<!-- Modified from Simple HttpErrorPages | MIT License | https://github.com/AndiDittrich/HttpErrorPages -->
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Error <?=$error_number?> - <?=$error_title?></title>
<style type="text/css">/*! normalize.css v5.0.0 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,footer,header,nav,section{display:block}h1{font-size:2em;margin:.67em 0}figcaption,figure,main{display:block}figure{margin:1em 40px}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent;-webkit-text-decoration-skip:objects}a:active,a:hover{outline-width:0}abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}b,strong{font-weight:inherit}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}dfn{font-style:italic}mark{background-color:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:1px dotted ButtonText}fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal}progress{display:inline-block;vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-cancel-button,[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}/*! Simple HttpErrorPages | MIT X11 License | https://github.com/AndiDittrich/HttpErrorPages */body,html{width:100%;height:100%;background-color:#21232a}body{color:#fff;text-align:center;text-shadow:0 2px 4px rgba(0,0,0,.5);padding:0;min-height:100%;-webkit-box-shadow:inset 0 0 100px rgba(0,0,0,.8);box-shadow:inset 0 0 100px rgba(0,0,0,.8);display:table;font-family:"Open Sans",Arial,sans-serif}h1{font-family:inherit;font-weight:500;line-height:1.1;color:inherit;font-size:36px}h1 small{font-size:68%;font-weight:400;line-height:1;color:#777}a{text-decoration:none;color:#fff;font-size:inherit;border-bottom:dotted 1px #707070}.lead{color:silver;font-size:21px;line-height:1.4}.cover{display:table-cell;vertical-align:middle;padding:0 20px}footer{position:fixed;width:100%;height:40px;left:0;bottom:0;color:#a0a0a0;font-size:14px}</style>
</head>
<body>
<div class="cover"><h1><?=$error_title?> <small>Error <?=$error_number?></small></h1><p class="lead"><?=$error_text?></p></div>
<footer><p> </p></footer>
</body>
</html>
PR #1314
Hello @ddimick Thanks for your work ! Your first solution is working (since the url is hard-coded) but unfortunately, your PR is not working for me, I didn't try much but I guess it has something to do with the $redirect_header (as my organizr domain name is just : https://mydomain.com or https://organizr.mydomain.com and not https://mydomain/organizr/).
Is your Traefik instance configured to use a FQDN/externally accessible domain/URL for your forwardauth.address
?
Another option might be to add a user-configurable field for the redirect target within Settings, but I was hoping to keep it simple.
I can cook something up for you guys.
Sent from my iPhone
On Feb 22, 2020, at 6:19 PM, Doug Dimick notifications@github.com wrote:
Is your Traefik instance configured to use a FQDN/externally accessible domain/URL for your forwardauth.address?
Another option might be to add a user-configurable field for the redirect target within Settings, but I was hoping to keep it simple.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
Is your Traefik instance configured to use a FQDN/externally accessible domain/URL for your
forwardauth.address
?Another option might be to add a user-configurable field for the redirect target within Settings, but I was hoping to keep it simple.
Yes it is ! I wanted to see what was the value of my $redirect_header to see if there was an issue but I'm not really into PHP aha.
I can cook something up for you guys.
Thanks !
@ddimick @h-wb does traefik always set this header as traefix 100% of the time? HTTP_X_FORWARDED_SERVER
No, I made an error in that assumption. It sets it to the hostname of the system Traefik is running under.
Okay I will add a toggle in settings
If any of you are running the dev branch, you can enable the toggle to test that.
Working great for me!
awesome! lets see if we can get the go ahead from @h-wb
Working great for me too ! Thanks !
Awesome! I'll push this to master at the end of the week!
I don't know if I'm doing something wrong, but mine just works if I use my hardcoded domain. If I use my docker on forwardauth, it just redirects me to http://organizr/
Is it right or am I doing anything wrong?
Is your Traefik instance configured to use a FQDN/externally accessible domain/URL for your
forwardauth.address
?
Judging by this comment it has to the domain
Please, can someone paste here docker-compose file are you using? I am trying to configure this but cannot make expose /api working, so authentication doesn't work using external domain.
This might not be the best example but hopefully it helps at little.
networks:
traefik:
traefik-socket:
internal: true
services:
traefik:
container_name: traefik
hostname: traefik
image: localhost:5000/local/traefik
restart: always
environment:
- TZ
- TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:8080
- TRAEFIK_PROVIDERS_DOCKER_ENDPOINT=tcp://traefik-socket:2375
- TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
- TRAEFIK_PROVIDERS_DOCKER_NETWORK=${COMPOSE_PROJECT_NAME}_traefik
- TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE=(Host(`www.${SUBDOMAIN}.${DOMAIN}`) || Host(`${SUBDOMAIN}.${DOMAIN}`)) && PathPrefix(`/{{ trimSuffix "-docker-stack" .Name }}`)
- TRAEFIK_API=true
- TRAEFIK_PING=true
- TRAEFIK_PING_ENTRYPOINT=http
- TRAEFIK_PING_MANUALROUTING=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=(Host(`www.${SUBDOMAIN}.${DOMAIN}`) || Host(`${SUBDOMAIN}.${DOMAIN}`)) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=clean-root, auth"
- "traefik.http.routers.ping.rule=PathPrefix(`/ping`)"
- "traefik.http.routers.ping.service=ping@internal"
- "traefik.http.routers.ping.middlewares=ipwhitelist-ping"
- "traefik.http.middlewares.clean-root.redirectregex.regex=^http(?:s)?://${SUBDOMAIN}\\.${DOMAIN}/(.*)"
- "traefik.http.middlewares.clean-root.redirectregex.replacement=https://www.${SUBDOMAIN}.${DOMAIN}/$${1}"
- "traefik.http.middlewares.auth.forwardauth.address=https://www.${SUBDOMAIN}.${DOMAIN}/organizr/api/?v1/auth&group=1"
- "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=x.x.x.x/xx"
- "traefik.http.middlewares.ipwhitelist.ipwhitelist.ipstrategy.excludedips=x.x.x.x"
- "traefik.http.middlewares.ipwhitelist-ping.ipwhitelist.sourcerange=x.x.x.x/xx, x.x.x.x/xx"
ports:
- 80:8080/tcp
networks:
- default
- traefik
- traefik-socket
depends_on:
- traefik-socket
- traefik-errorpages
traefik-socket:
container_name: traefik-socket
hostname: traefik-socket
image: tecnativa/docker-socket-proxy
restart: always
environment:
- CONTAINERS=1
networks:
- traefik-socket
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
traefik-errorpages:
container_name: traefik-errorpages
hostname: traefik-errorpages
image: linuxserver/nginx
restart: always
environment:
- TZ
- PUID=${USER_UID}
- PGID=${USER_GID}
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-errorpages.middlewares=errorpages"
- "traefik.http.middlewares.errorpages.errors.status=400-401, 403-404, 500-503, 520-521"
- "traefik.http.middlewares.errorpages.errors.service=traefik-errorpages-${COMPOSE_PROJECT_NAME}"
- "traefik.http.middlewares.errorpages.errors.query=/?{status}"
- "com.centurylinklabs.watchtower.enable=true"
networks:
- traefik
volumes:
- ${PROJECT_PATH}/traefik/volumes/errorpages:/config/www
organizr:
container_name: organizr
hostname: www.${SUBDOMAIN}.${DOMAIN}
image: organizrtools/organizr-v2
restart: always
environment:
- TZ
- PUID=${USER_UID}
- PGID=${USER_GID}
labels:
- "traefik.enable=true"
- "traefik.http.routers.organizr.rule=(Host(`www.${SUBDOMAIN}.${DOMAIN}`) || Host(`${SUBDOMAIN}.${DOMAIN}`)) && (PathPrefix(`/`) || PathPrefix(`/organizr`))"
- "traefik.http.routers.organizr.middlewares=organizr-redirect-root, organizr-stripprefix, errorpages"
- "traefik.http.routers.organizr.priority=1"
- "traefik.http.middlewares.organizr-redirect-root.redirectregex.regex=^http(?:s)?://(?:www\\.)?${SUBDOMAIN}\\.${DOMAIN}/$$"
- "traefik.http.middlewares.organizr-redirect-root.redirectregex.replacement=https://www.${SUBDOMAIN}.${DOMAIN}/organizr/"
- "traefik.http.middlewares.organizr-stripprefix.stripprefix.prefixes=/organizr"
- "com.centurylinklabs.watchtower.enable=true"
networks:
- traefik
volumes:
- ${PROJECT_PATH}/organizr/volumes:/config
Thank you very much for the example, but It seems you aren't using organizr authentication.
I am, I just neglected to include an example of service using it. Apologies. The auth
middleware being used here refers to where I defined it under the traefik service.
version: "3.7"
services:
nzbget:
container_name: nzbget
hostname: nzbget
image: linuxserver/nzbget
restart: always
environment:
- TZ
- PUID=${USER_UID}
- PGID=${USER_GID}
labels:
- "traefik.enable=true"
- "traefik.http.routers.nzbget.middlewares=clean-root, auth"
- "com.centurylinklabs.watchtower.enable=true"
networks:
- traefik
volumes:
- ${PROJECT_PATH}/nzbget/volumes:/config
- /mnt/system0/downloads/nzbs:/downloads
@ddimick Thanks for your compose!! - going to use it to help get myself off Traefik v1 to v2, improve the security on watchtower et. al with docker-socket-proxy, and get Organizr auth going for (ideally) subdomain https.
Question though, could you also share a clean version of your Traefik v2 toml/yaml config?
I don't use a toml/yaml file to config Traefik. Everything is set using environment variables in the compose file.
I am, I just neglected to include an example of service using it. Apologies. The
auth
middleware being used here refers to where I defined it under the traefik service.version: "3.7" services: nzbget: container_name: nzbget hostname: nzbget image: linuxserver/nzbget restart: always environment: - TZ - PUID=${USER_UID} - PGID=${USER_GID} labels: - "traefik.enable=true" - "traefik.http.routers.nzbget.middlewares=clean-root, auth" - "com.centurylinklabs.watchtower.enable=true" networks: - traefik volumes: - ${PROJECT_PATH}/nzbget/volumes:/config - /mnt/system0/downloads/nzbs:/downloads
Thank you very much! I am trying to understand your case to adapt it to me. Let's suppose the domain mydomain.com.
In www.mydomain.com or www.mydomain.com/organizr you have organizr accesible right? And the redirect makes all requests go to www.mydomain.com/organizr/ including api/ authentication?
Yes, correct. www.mydomain.com/
redirects to www.mydomain.com/organizr
. The organizr authentication mechanism is exposed at www.mydomain.com/organizr/api/
.
Other services are served up like www.mydomain.com/otherservice/
, like www.mydomain.com/nzbget/
.
Setting Traefik priority 1 for organizr is crucial if you're using it this way.
OMG, it's working! Thank you very much! :)
What about clean-root? What does it do?
clean-root
just redirects http://mydomain.com/whatever
or https://mydomain.com/whatever
to https://www.mydomain.com/whatever
Ok, got it ! Thank you!
Yes, correct.
www.mydomain.com/
redirects towww.mydomain.com/organizr
. The organizr authentication mechanism is exposed atwww.mydomain.com/organizr/api/
.Other services are served up like
www.mydomain.com/otherservice/
, likewww.mydomain.com/nzbget/
.Setting Traefik priority 1 for organizr is crucial if you're using it this way.
But when you go to www.mydomain.com/nzbget/
it redirects you to www.mydomain.com/organizr/
in order to make your login and join the organizr? Or just use it as Auth system, once you put or login/password it redirects you again to www.mydomain.com/nzbget/
?
What I'm trying to do is use it just as a Auth layer... if someone goes to subdomain, redirects to main domain to authenticate, after auth -> redirects again to subdomain, instead of join on Organizr main page.
But when you go to www.mydomain.com/nzbget/ it redirects you to www.mydomain.com/organizr/ in order to make your login and join the organizr?
Yup. I agree that it would be nice if you could auth and then redirect to the originally requested URL. Maybe there is a clever way of using Traefik to do something like set a header with the original URL and then use it to redirect again after auth or something along those likes, but I haven't investigated it.
@causefx any ideia that could help us?
We do that with Nginx - if 401 it sends to Organizr 401 error page to login - once logged in it forwards you back to the requested page. No clue how to setup error pages on Traefik...
https://docs.organizr.app/books/setup-features/page/custom-error-pages
We make use of the return=$request_uri
on the url... hopefully you can do the same.
Traefik does not appear to be able to pass the request URI in their custom error page implementation.
Try opening an issue on GH and asking them to add it - they are really cool.
Looks like there is an issue opened for it already at https://github.com/containous/traefik/issues/3420.
I have been having a lot of issues getting Traefik v2 working with Organizr Forward Auth. Even with the above examples I haven't been able to pinpoint my exact issue.
I use the following middleware:
[HTTP.Middlewares.org-coadmin.ForwardAuth]
Address = "https://organizr.mydomain.com/api/?v1/auth&group=1"
I have also tried this with the following additions:
TrustForwardHeader = true
AuthResponseHeaders = ["X-WebAuth-User"]
[HTTP.Middlewares.org-coadmin.ForwardAuth.TLS]
InsecureSkipVerify = true
And a container using the middleware:
traefik.http.routers.droppy-ext.entryPoints: "https"
traefik.http.routers.droppy-ext.tls: "true"
traefik.http.routers.droppy-ext.rule: "Host(`droppy.mydomain.com`)"
traefik.http.routers.droppy-ext.service: "droppy"
traefik.http.routers.droppy-ext.middlewares: "org-admin@file, 401@file"
When I am not logged in to orgnizr and go to droppy.mydomain.com I get a "cannot resolve" because it tries to go to https://organizr/ When I am logged in to Organizr, it sends me to droppy without an issue.
I have enable the traefik option in orgnizr, but suspect it has nothing to do with the issue I'm facing. In the past I used traefik error pages to forward to a simple html page which automatically redirected to the organizr login page, not pretty but worked. I thought this was still happening and an issue with the error middelware, but if I change the error middelware to a completly different container, I still get the "cannot resolve" issue for https://organizr/ so it seems the ForwardAuth is already breaking.
Could someone who has this working help me out and maybe check out my toml files together?
I've the same issue.
https://github.com/causefx/Organizr/issues/1240#issuecomment-600076171
Read the reply right below this my answer.
Organizr Version: V2 Official Docker
Branch: Master
WebServer: nginx
Operating System: Debian10/docker
Problem Description:
Its not as much a problem as it is a request for tweaks. Currently if you try to access any of your containers behind treafik forward auth using organizr as the api (as per the documentation) you will be meet with a 401 error if you are not logged in, which is fine but I was wondering if we could have a way to redirect it in case of a 401 error to the login page instead of just showing a flat error. This is the behavior using traefik-forward-auth would have, and it would be nice to have for organizr as a server auth provider as well. Potentially by simply being able to add ?loginredirect=loginurl at the end of the case of a 401 error for said page.
Reproduction Steps:
Access any traefik enabled container with organizr api as the auth provider without being logged in.