Not functioning as expected with Organizr

[tehniemer]

I'm sure that I just have something setup wrong, but can't figure out what that may be. I am using this to allow access to subdirectories through organizr but it seems to just be opening another instance of organizr instead of proxying to the correct subdirectory. If I disable the path for the subdirectory it loads as expected.

Everything is running in Docker.

This is what I'm experiencing

here's my Caddyfile

   ####################################################################################
# Snippets
####################################################################################

####### Snippet 1 #######

(mycommon) {
  ext .html .htm .php
  root /srv           # Change path syntax for your OS or your preferred location!
  gzip

  header / {
    X-Content-Type-Options nosniff
    X-XSS-Protection "1; mode=block"
    Strict-Transport-Security "max-age=31536000;"
  }
}

####### Snippet 2 #######

(mylocations) {

   # This code allows your browser/server to look at Organizr and verify if the currently logged in user's status is 
   # admin, user, or neither. This is based on assigned group in Organizer's "Manage users" tab
   # Admin allows users to see Admin, User, and guest pages
   # User allows a user to see User and Guest pages. 
   # Guest pages should not be assigned to either of these options.
   # each page should only be present in ONE of the blocks if auth is required.

    proxy /auth-admin https://domain.com/organizr/auth.php?admin
    proxy /auth-user https://domain.com/organizr/auth.php?user

   # this is where the protection happens. there is one call for users and one for admins

  reauth {
    path /sonarr
    path /radarr
    path /lidarr
    path /mylar
    path /lazy
    path /nzbget
    path /hydra2
    path /pihole

    # if someone is not authorized for a page, send them here instead of allowing them through to the intended page

    failure redirect target=https://domain.com/organizr/

    # The above listed directories with be pretected from anyone not listed in Organizr as an Admin  

    upstream url=https://domain.com/organizr/auth-admin,cookies=true  
    }

    # This bracket does the same as the above annotated bracket but the minimum required group is User

  reauth {
    path /tautulli

    failure redirect target=https://domain.com/organizr/

    upstream url=https://domain.com/organizr/auth-user,cookies=true
    }

  proxy /organizr 172.10.0.12:80 {          #https://organizr.us/
    without /organizr
    transparent
    }

  proxy /radarr 172.10.0.4:7878 {            # https://radarr.video/
    transparent
    }

  proxy /sonarr 172.10.0.5:8989 {          # https://sonarr.tv/
    transparent
    }

  proxy /lidarr 172.10.0.6:8686 {           # https://github.com/lidarr/Lidarr
    transparent
    }

  proxy /mylar 172.10.0.8:8090 {        # https://github.com/evilhero/mylar
    without /mylar
    transparent
    }

  proxy /lazy 172.10.0.7:5299 {            # https://github.com/DobyTang/LazyLibrarian
    transparent
    }

  proxy /nzbget 172.10.0.3:6789 {          # http://nzbget.net/
    without /nzbget
    transparent
    }

  proxy /hydra2 172.10.0.2:5076 {        # https://github.com/theotherp/nzbhydra2
    transparent
    }

  #rewrite /ombi /ombi/

  proxy /ombi 172.10.0.10:3579 {            # https://github.com/tidusjar/Ombi
    transparent
    }

  proxy /tautulli 172.10.0.14:8181 {          # http://tautulli.com/ PARTIALLY WORKING
    without /tautulli
    transparent
    }

  proxy /pihole 172.10.0.11:80 {        # https://pi-hole.net/
    without /pihole
    transparent
    header_downstream X-Frame-Options "SAMEORIGIN"
    }

  proxy /portainer 172.10.0.20:9000 {            # https://portainer.io/
    without /portainer
    transparent
    }   

  # The code below will proxy PHP requests

  fastcgi / 127.0.0.1:9000 php # php variant only

}

####################################################################################
# web domain server block
####################################################################################

domain.com {

  tls some@email.com

  log /srv/logs/access.log {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
    }

  errors /srv/logs/errors.log {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
    }   

  on startup php-fpm7 # php variant only

  redir 301 {
    if {path} is /              # Only redirect if the request is for the webroot
    / https://domain.com/organizr/   # Replace with wherever you like
  }

  import mycommon          # Import code snippet 1 defined above
  import mylocations       # Import code snippet 2 defined above    

}

####################################################################################
# localhost or Machine server block
####################################################################################

http://localhost http://192.168.29.1 {

  import mycommon          # Import code snippet 1 defined above
  import mylocations       # Import code snippet 2 defined above

}

####################################################################################
# subdomains
####################################################################################

plex.domain.com {

  tls some@email.com

  gzip
  timeouts none

  # Separate log file for Plex server

  log /srv/logs/plexaccess.log {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }

  errors /srv/logs/plexerror.log {
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }

  proxy / 192.168.29.10:32400 {
    transparent
    }

}

qnap.domain.com {

  tls some@email.com

  gzip

  proxy / 192.168.29.2:8080 {
    transparent
    }

}

[freman]

At a glance

Is https://domain.com/auth-admin or https://domain.com/auth-user returning something other than 200 ok if the cookie is valid?

is it even valid to proxy to a url with query params?

proxy /auth-admin https://domain.com/auth.php?admin
proxy /auth-user https://domain.com/auth.php?user

I've never honestly tried.

[tehniemer]

Tell you the truth, I have no experience with web stuff at all, so I have no idea how to answer your questions. I followed these instructions https://github.com/causefx/Organizr/wiki/Caddy-Installation

[tehniemer]

Both https://domain.com/auth-admin and https://domain.com/auth-user return the 404 not found nginx page.

[freman]

I think you might have to use upstream to https://domain.com/auth.php?admin and https://domain.com/auth.php?user

I don't think you can proxy to a query url, which is probably why you're getting 404 and definitely why you're getting recursive site load

[tehniemer]

Hmmm, I'm trying to do the same thing as in issue #1, and I took what you and @goofballtech came up with pretty much verbatim, other than changing the domain.

[goofballtech]

i wonder if the without /organizr is messing with the auth path? all that does for a user is make your page show up as domain.com instead of domain.com/organizr in the url bar of the browser if i remember correctly. try to pull that and see if it changes anything.

it might be doing a funky loop thing trying to redirect without the proper path in there.

I have since moved over to CloudFlare for SSL proxy and just have nginx running on a rasPi with F2B for all my local reverse proxies. When i made that wiki entry though that caddyfile worked as it is.

[tehniemer]

without /organizr removes /organizr from proxys that don't use a base url, so if I excluded it it would proxy to 172.10.0.12:80/organizr which Organizr doesn't recognize. The url still shows as domain.com/organizr

Did you do anything additional to set up cookies? I have no web experience, so I don't know if I'm missing something there.

[goofballtech]

i was setting up in windows and did exactly what was in the procedure. No one else knew anything about caddy so i figured it was worth recording.

A bit later i ended up moving to CF for SSL and then my home IP wasnt as obvious so i went with that.

I think most of the organizr folks (people in the discord channel) are running nginx\LE docker so help with caddy users is really slim pickings.

It only made sense for me to use caddy because SSL on windows is a pain since there is no native LE functionality.

Sorry i can be of more assistance. I did all this when learning as well and only had it running for about 3 months before moving to nginx on a rasPi and just pointing it to org on the windows box.

On Tue, Apr 24, 2018, 7:00 AM tehniemer notifications@github.com wrote:

without /organizr removes /organizr from proxys that don't use a base url, so if I excluded it it would proxy to 172.10.0.12:80/organizr which Organizr doesn't recognize. The url still shows as domain.com/organizr

Did you do anything additional to set up cookies? I have no web experience, so I don't know if I'm missing something there.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/freman/caddy-reauth/issues/10#issuecomment-383905088, or mute the thread https://github.com/notifications/unsubscribe-auth/AH1uBaD1DCXBfKaLAEVlmHB6_vPYNNfuks5trxP5gaJpZM4TWntE .

[tehniemer]

No worries, thanks for the info. I'll probably just switch over to Nginx since it seems to be more supported, it's a shame since everything else is working as expected.

[tehniemer]

Here's a snippet of my Caddy log when I try to access something behind reauth

172.10.0.1 - - [24/Apr/2018:22:36:47 +0000] "GET /organizr/auth-admin HTTP/2.0" 404 132
172.10.0.1 - - [24/Apr/2018:22:36:47 +0000] "GET /radarr HTTP/2.0" 302 78
172.10.0.1 - - [24/Apr/2018:22:36:48 +0000] "GET /organizr/ HTTP/2.0" 200 13787
172.10.0.1 - - [24/Apr/2018:22:37:03 +0000] "GET /organizr/homepage.php HTTP/2.0" 200 14040
172.10.0.1 - - [24/Apr/2018:22:37:03 +0000] "GET /organizr/ajax.php?a=nzbget-update&list=listgroups HTTP/2.0" 200 84
172.10.0.1 - - [24/Apr/2018:22:37:04 +0000] "GET /organizr/ajax.php?a=get-calendar HTTP/2.0" 200 707
172.10.0.1 - - [24/Apr/2018:22:37:04 +0000] "GET /organizr/ajax.php?a=nzbget-update&list=listgroups HTTP/2.0" 200 84
172.10.0.1 - - [24/Apr/2018:22:37:04 +0000] "GET /organizr/ajax.php?a=nzbget-update&list=history HTTP/2.0" 200 2995

[freman]

I'd love to support you more but I've never seen organizr before and don't have access to any running instances to do any diagnostics.

172.10.0.1 - - [24/Apr/2018:22:36:47 +0000] "GET /organizr/auth-admin HTTP/2.0" 404 132 this is where you are falling over

I really don't think proxy /auth-admin https://domain.com/organizr/auth.php?admin works, and if it does I'm surprised (I haven't actually had time to sit down and look at it, sorry)

If it's not too much fiddling I'll try installing organizr on a vm over the weekend and take a look (it's just going to be prioritised somewhere between installing a new router, and replacing a bolt in my car).

[goofballtech]

maybe try to do a relative path instead of the absolute path with all the http://domain portion and see what changes. I know it worked at one time but maybe being in docker causes whatever was allowing it to work for me to struggle. Lots of thing in one OS don't like others, this might be one of those things.

On Wed, Apr 25, 2018 at 6:50 PM, Shannon Wynter notifications@github.com wrote:

I'd love to support you more but I've never seen organizr before and don't have access to any running instances to do any diagnostics.

172.10.0.1 - - [24/Apr/2018:22:36:47 +0000] "GET /organizr/auth-admin HTTP/2.0" 404 132 this is where you are falling over

I really don't think proxy /auth-admin https://domain.com/organizr/ auth.php?admin works, and if it does I'm surprised (I haven't actually had time to sit down and look at it, sorry)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/freman/caddy-reauth/issues/10#issuecomment-384468631, or mute the thread https://github.com/notifications/unsubscribe-auth/AH1uBe28PiDYKSdT36g8rynkMV9wLfllks5tsQuxgaJpZM4TWntE .

[tehniemer]

Sorry for the ignorant question, but when you say relative path do you mean

172.10.0.12:80/auth.php?admin or /srv/foo/bar/auth.php?admin or something else?

[goofballtech]

Look back at my first post and see how the syntax is there. i wasnt using IP or URL. Just a straigh path relative to local webroot.

On Thu, Apr 26, 2018, 6:14 AM tehniemer notifications@github.com wrote:

Relative path didn't work, this is the error I got

Activating privacy features... done., 2018/04/26 11:09:20 unable to parse url 172.10.0.12:80/auth-admin: parse 172.10.0.12:80/auth-admin: first path segment in URL cannot contain colon for upstream (/etc/Caddyfile:55), exit status 1,

Could it be something with Organizr not having a base URL and having to strip off the /organzr during proxying?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/freman/caddy-reauth/issues/10#issuecomment-384602963, or mute the thread https://github.com/notifications/unsubscribe-auth/AH1uBXfrTLGXheP6z3S8-HrVfQz7xOINks5tsawmgaJpZM4TWntE .

[tehniemer]

Well, using the relative path got rid of the 404 error, now I'm left with

access log

172.10.0.1 - - [26/Apr/2018:23:07:22 +0000] "GET /auth-admin HTTP/2.0" 502 40
172.10.0.1 - - [26/Apr/2018:23:07:22 +0000] "GET /radarr HTTP/2.0" 302 65

error log

26/Apr/2018:23:07:22 +0000 [ERROR 502 /auth-admin] http: no Host in request URL

This is how I changed my Caddyfile

proxy /auth-admin /organizr/www/Dashboard/auth.php?admin
  proxy /auth-user /organizr/www/Dashboard/auth.php?user

  reauth {
    path /sonarr
    path /radarr
    path /lidarr
    path /mylar
    path /lazy
    path /nzbget
    path /hydra2
    path /pihole

    failure redirect target=https://google.com

    upstream url=https://domain.com/auth-admin,cookies=true
    }

  reauth {
    path /tautulli

    failure redirect target=https://google.com

    upstream url=https://domain.com/auth-user,cookies=true
    }

I read your comment about 502 errors, but that seemed to be windows specific, any ideas what I need to do with this running in docker?

[goofballtech]

The whole thing was windows specific. Because at the time i didn't even know what a docker was....

My vote is to run NGINX/LE docker and hop on over to the Org discord channel if you have issues because those guys know all the little issues folks run into and are very helpful. just my 2 cents.

On Thu, Apr 26, 2018 at 7:29 PM, tehniemer notifications@github.com wrote:

Well, using the relative path got rid of the 404 error, now I'm left with

172.10.0.1 - - [26/Apr/2018:23:07:22 +0000] "GET /auth-admin HTTP/2.0" 502 40 172.10.0.1 - - [26/Apr/2018:23:07:22 +0000] "GET /radarr HTTP/2.0" 302 65

I read your comment about 502 errors, but that seemed to be windows specific, any ideas what I need to do with this running in docker?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/freman/caddy-reauth/issues/10#issuecomment-384828127, or mute the thread https://github.com/notifications/unsubscribe-auth/AH1uBd1MahU4j8GPMHPz0vavDD-Uxu69ks5tsmZ6gaJpZM4TWntE .

[tehniemer]

I figured it out with the help of @causefx. The proxys to auth.php were the issue, that path had to be set directly as the upstream url.

reauth {
    path /sonarr
    path /radarr
    path /lidarr
    path /mylar
    path /lazy
    path /nzbget
    path /hydra2
    path /pihole

    failure redirect target=https://domain.com/organizr/

    upstream url=https://domain.com/organizr/auth.php?admin,cookies=true
    }

  reauth {
    path /tautulli

    failure redirect target=https://domain.com/organizr/

    upstream url=https://domain.com/organizr/auth.php?user,cookies=true
    }