Open TobenderZephyr opened 3 years ago
error - caused by: crypto/aes: invalid key size 0
I think you need to pass --encryption-key
or set ENCRYPTION_KEY
.
here a working example docker-compose.yml
version: '2.4'
networks:
web:
external: true
services:
traefik:
image: traefik
command:
- "--accesslog"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- 80:80
networks:
- web
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
labels:
traefik.enable: true
traefik.docker.network: web
#v2
traefik.http.routers.traefik.rule: Host(`traefik.localtest.me`)
traefik.http.services.traefik.loadbalancer.server.port: 8080
whoami:
image: traefik/whoami
networks:
- web
labels:
traefik.enable: true
treafik.docker.network: web
#v2
traefik.http.routers.php-test-router.rule: Host(`whoami.localtest.me`)
traefik.http.services.php-test-service.loadbalancer.server.port: 80
traefik.http.routers.php-test-router.middlewares: traefik-forward-auth-middleware
traefik-forward-auth:
image: mesosphere/traefik-forward-auth:3.1.0
networks:
- web
- default
environment:
#options https://github.com/mesosphere/traefik-forward-auth/blob/master/internal/configuration/config.go
INSECURE_COOKIE: 1
ENCRYPTION_KEY: 45659373957778734945638459467936 #32 character encryption key
COOKIE_DOMAIN: whoami.localtest.me
SCOPE: profile email openid # scope openid is necessary for keycloak...
SECRET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
PROVIDER_URI: https://my-keycloak.com/auth/realms/my-realm
CLIENT_ID: myclient
CLIENT_SECRET: mysecret
LOG_LEVEL: debug
labels:
traefik.enable: true
traefik.docker.network: web
traefik.http.services.traefik-forward-auth.loadbalancer.server.port: 4181
traefik.http.routers.traefik-forward-auth.entrypoints: web
traefik.http.routers.traefik-forward-auth.rule: Path(`/_oauth`)
traefik.http.routers.traefik-forward-auth.middlewares: traefik-forward-auth
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.address: http://traefik-forward-auth:4181
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.authResponseHeaders: X-Forwarded-User
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.trustForwardHeader: "true"
COOKIE_DOMAIN: whoami.localtest.me
I try with the wildcard .localtest.me that doen't work but without dot works localtest.me 😕
I am using the latest/22.00 keycloak with this config. Getting the following error
time="2023-08-13T17:48:57Z" level=error msg="error generating secure session cookie: securecookie: error - caused by: crypto/aes: invalid key size 22" source_ip=172.27.0.1
To generate cookie used this github.com/gorilla/securecookie
module.
Refer https://go.dev/src/crypto/aes/cipher.go#25
The error crypto/aes: invalid key size 22
coming from cipher.go.
How to fix this?
Anyone around here, who can shed some light upon this? I'm having the same issues. I can't find a valid key size. What is a valid key size anyway? How do I generate a valid key?
In my config, I have a SECRET
with a length of 32 chars, and an --encryption-key
with a length of 16 chars.
They can be generated, e.g., with pwgen 32 1
and pwgen 16 1
, respectively.
Before I dive too deep in this matter, I want to apologize beforehand, that i stumpled on KeyCloak and therefore your project by accident. I did not yet dig deep enough to know if these projects would exactly fit my needs or if I am doing it all wrong.
My setup currently are three different Docker Hosts (no swarm), each running one of:
keycloak + traefik
,traefik-forward-auth+ traefik
,application + traefik
. The plan was to have the application run in a LAN environment (or wherever), while the forward-auth-host is inside a DMZ allowing only HTTP/HTTPS+outgoing LDAP for Authentication against Active Directory. The KeyCloak Server could either be inside the same DMZ or internal - yet to decide where it makes most sense.I followed your instructions in #1 and made a few changes here and there to fit my needs. Now I am at a point where I am unable to progress, because I tried so much beforehand and this is the furthest I achieved.
When I hit the.
whoami
page, I will get redirected to the KeyCloak login page bytraefik-forward-auth
. After entering username+password, I get redirected again totraefik-forward-auth
with /_oauth?Yet I receive
401 Not Authenticated
. Inspecting the Browser Cookies (F12) I don't see anything in the list.This is the output of the debug log. I believe the error message appeared after building the latest version (Dockerhub is 6 months old)
This is my setup:
traefik-forward-auth
:whoami
:I guess it comes down to normal Docker Networking now and avoiding traefik at a certain point, so proxy headers won't get mixed up.
Any help on this is appreciated,
Thanks Marcus