Unauthorized from legacy to caddy

[fire1]

Hi!

I'm trying to switch from the legacy version to the caddy version with exactly the same JWT. On the legacy version was working on the caddy version only response I get is "Unauthorized " http.handlers.mercure Subscriber unauthorized http.handlers.mercure Topic selectors not matched, not provided or authorization error

Is it possible to be a wrong SSL certificate configuration? When I set TLS line in Caddyfile Mercure won't run with error port:80 is in used (apache2/debian)

Some Caddyfile example configurations will be appreciated, only for comparison. I read the whole documentation for configuration and can't get it to work.

[divine]

Hello,

Unauthorized error is related to incorrect JWT settings.

Can you share your Caddy configuration?

Thanks!

[fire1]

   # Debug mode (disable it in production!)
     {$DEBUG}
    # HTTP/3 support
    servers {
        protocol {
           experimental_http3
        }
    }
}
{$SERVER_NAME:tlanger.mw-medianetworks.eu:3000}
#from env   CERT_FILE='/Users/me/Projects/fullchain.pem' KEY_FILE='/Users/me/Projects/privkey.pem'
tls /etc/apache2/ssl/tomato-app.com.crt /etc/apache2/ssl/tomato-app.com.key
log
route {
    encode zstd gzip
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
        # Publisher JWT key
        publisher_jwt '*******'
        # Subscriber JWT key
        subscriber_jwt '*******'
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    respond /healthz 200
    respond "Not Found" 404
}

JWT token /key copied from working legacy versions also publisher_jwt / subscriber_jwt are the same passwords

[divine]

Hello,

Can you try this config? I think that you're missing encryption type and double quotes might help as well..

# Publisher JWT key
publisher_jwt "*******" "HS512"
# Subscriber JWT key
subscriber_jwt "*******" "HS512"

Thanks!

[fire1]

Tested with "HS256" (for my actual JWT) and as @divine suggested "HS512" as the same result Also tested with renewed JWT token and secret for Symfony5/Mercure

PAYLOAD DATA

{
  "mercure": {
    "publish": [
      "*"
    ]
  }
}

In my local dev server caddy starts fine, but in my production server need to use SERVER_NAME=':3000' ./mercure-caddy run -config Caddyfile in order to start without port conflict. (website runs over HTTPS)

Here some more log:

tls     cleaned up storage units
2021/05/14 03:59:15.574 INFO    http.handlers.mercure   Subscriber unauthorized {"subscriber": {"id": "urn:uuid:dcbc140b-6ad8-479e-8d73-09d078af941f", "last_event_id": "", "remote_addr": "192.168.2.80:60822"}}
2021/05/14 03:59:15.574 ERROR   http.log.access handled request {"request": {"remote_addr": "192.168.2.80:60822", "proto": "HTTP/1.1", "method": "GET", "host": "tlanger.tomato-app.com:3000", "uri": "/.well-known/mercure?topic=%2Ffilesystem%2Faction%2F41", "headers": {"Pragma": ["no-cache"], "Sec-Fetch-Dest": ["empty"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en,bg;q=0.9"], "Sec-Fetch-Site": ["same-origin"], "X-Forwarded-For": ["192.168.2.6"], "X-Forwarded-Host": ["tlanger.tomato-app.com"], "Sec-Ch-Ua": ["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Microsoft Edge\";v=\"90\""], "Accept": ["text/event-stream"], "Sec-Fetch-Mode": ["cors"], "Referer": ["https://tlanger.tomato-app.com/filesystem/work:41"], "X-Forwarded-Server": ["tlanger.tomato-app.com"], "Connection": ["Keep-Alive"], "Cache-Control": ["no-cache"], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56"], "Cookie": ["PHPSESSID=mllfc9doebk83uv4kjpjuppvmg"]}}, "common_log": "192.168.2.80 - - [14/May/2021:06:59:15 +0300] \"GET /.well-known/mercure?topic=%2Ffilesystem%2Faction%2F41 HTTP/1.1\" 401 13", "duration": 0.0004423, "size": 13, "status": 401, "resp_headers": {"Server": ["Caddy"], "Access-Control-Allow-Origin": ["https://tomato-app.com"], "Access-Control-Allow-Credentials": ["true"], "X-Frame-Options": ["DENY"], "X-Content-Type-Options": ["nosniff"], "X-Xss-Protection": ["1; mode=block"], "Content-Security-Policy": ["default-src 'self'"], "Content-Type": ["text/plain; charset=utf-8"]}}

[fire1]

Update ...

When adding a parameter anonymous in Caddyfile, Mercure starts but in random cases has an infinite response (like MBs of download response )

Is this normal? @_@

After an hour and response for /hub/.well-known/mercure is infinity ...

[divine]

Hello,

I'm still unsure why are you using ancient apache, just migrate to Caddy, it's just a joy to setup.

Apache might be not able to handle correctly proxying persistent connections.

Thanks!

[fire1]

In my current case, this is impossible, the server needs to support an older version of the application that I'm renewing

[fire1]

Does anyone have an idea how to force disable the use of port 80 from Caddy?

[fire1]

Update ...

When adding a parameter anonymous in Caddyfile, Mercure starts but in random cases has an infinite response (like MBs of download response )

Is this normal? @_@

After an hour and response for /hub/.well-known/mercure is infinity ...

This is caused by Chrome (&Edge) browsers, flooding the socket in order to reconnect.

[fire1]

Problem resolved!

Apache2 / Proxy reverse with Mercure does not work in the long run. When !several! Chrome / Edge browsers are connected to the socket, by clicking on some link (or some page reload) are unable to disconnect from the socket. This may sound silly, I'll try describe it second time.... Page is loaded, OK! Everything is working fine! By clicking on some link or page reload, browser starts loading and stays like this forever. By several clicks on link (or page reload) in random case the page is loaded (reloaded). This "load hang" will be repeatable until Mercure is restarted. (Also this will happen randomly on some of "Chrome browser" clients.)

Problem resolved by moving Mercure-caddy to a new server without Appache2

P.S. @divine was right! Thanks!