nirui / sshwifty

Web SSH & Telnet (WebSSH & WebTelnet client) 🔮
https://sshwifty-demo.nirui.org
GNU Affero General Public License v3.0
2.41k stars 362 forks source link

Not working with traefik + auth #75

Closed ataridude closed 2 years ago

ataridude commented 2 years ago

A friend pointed me sshwifty, and I have been trying to get it installed on my system, behind Traefik, with authentication. I have it working behind Traefik, but I also want access to it controlled by a username & password. I have tried Traefik's basic auth and digest auth, and I have the same issue with both: it has a problem with websockets (it reports error 1006).

This is only a problem when I try to use auth -- when I skip the Traefik auth, sshwifty works just fine.

My functioning docker compose file is attached, and the commented lines are the ones that cause a problem. Specifically it is the sshwifty-secure middleware that causes a problem; the fwd_proto middleware was one of my attempts at working around this issue, based on some howtos I found online.

I don't know if this is an issue with Traefik, sshwifty, or the configuration I have set here. I would appreciate any guidance here to getting this working.

docker-compose-sshwifty.txt

Hmm, I see that the docker compose file is only downloadable here, not viewable, so I have edited to add it here:

version: "3"
services:
  sshwifty:
    image: niruix/sshwifty:latest
    volumes:
        - /usr/local/docker/sshwifty/sshwifty.conf.json:/etc/sshwifty.conf.json
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_net"
        - "traefik.http.services.sshwifty.loadbalancer.server.port=8182"
        - "traefik.http.routers.sshwifty-http.entrypoints=http"
        - "traefik.http.routers.sshwifty-http.rule=Host(`sshwifty.ataridude.net`)"
        - "traefik.http.routers.sshwifty-http.middlewares=sshwifty-http"
        - "traefik.http.routers.sshwifty-http.service=sshwifty"
        - "traefik.http.middlewares.sshwifty-http.redirectscheme.scheme=https"
        - "traefik.http.middlewares.sshwifty-http.redirectscheme.permanent=true"
        - "traefik.http.routers.sshwifty-secure.rule=Host(`sshwifty.ataridude.net`)"
        - "traefik.http.routers.sshwifty-secure.service=sshwifty@docker"
        - "traefik.http.routers.sshwifty-secure.tls.certresolver=dns-digitalocean"
        - "traefik.http.routers.sshwifty-secure.entrypoints=https"
#       - "traefik.http.routers.sshwifty-secure.middlewares=sshwifty-secure,fwd_proto"
#       - "traefik.http.middlewares.sshwifty-secure.digestauth.users=ataridude:traefik:HASH"
#       - "traefik.http.middlewares.fwd_proto.headers.customrequestheaders.X-Forwarded-Proto=https,wss"
    networks:
      - traefik_net

networks:
  traefik_net:
    external: true
nirui commented 2 years ago

Hmm... that's little odd.

I don't think traefik.http.middlewares.fwd_proto... is actually needed, depends on other settings on your system, of course.

I also run Sshwifty via Traefik in my local network too, and I managed to get the HTTP Auth to work by adding following lines (more info) into my docker-compose.yaml:

        - "traefik.http.middlewares.sshwifty-auth.digestauth.users=test:traefik:7f9b3ba8833e0b546e17284e6c767631"
        - "traefik.http.routers.<NameOfTheServiceDeclaredInTheDockerCompose>.middlewares=sshwifty-auth"

The digest was generated via htdigest -c passwordfile traefik test && cat passwordfile && rm passwordfile, and the cleartext password is 123.

The complete docker-compose.yaml:

version: "3.8"

services:
  web:
    image: niruix/sshwifty:latest
    networks:
      - traefik-public
    deploy:
      replicas: 2
      placement:
        max_replicas_per_node: 1
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.web.rule=Host(`<LocalServiceDomain>.svc.lan`,`<AnotherDomain>`)"
        - "traefik.http.routers.web.entrypoints=web,websecure"
        - "traefik.http.services.web.loadbalancer.server.port=8182"
        - "traefik.http.services.web.loadbalancer.server.scheme=http"
        - "traefik.docker.network=traefik-public"
        - "traefik.http.middlewares.sshwifty-auth.digestauth.users=test:traefik:7f9b3ba8833e0b546e17284e6c767631"
        - "traefik.http.routers.web.middlewares=sshwifty-auth"

networks:
  traefik-public:
    external: true

You can take look the log of the Traefik container to see if there is anything wrong.

ataridude commented 2 years ago

Thanks, I get it working using your entire compose file too (changing the docker network and entrypoints to match my environment) -- I'll look at the diffs between yours & mine and get it sorted. Simply applying those 2 lines (the digestauth and middleware lines) to my config does not work for some reason.