search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.41k stars 184 forks source link

OCIS + Authelia + Traefik: Error 401 when uploading a file from the web interface #9749

Open Irda13 opened 3 months ago

Irda13 commented 3 months ago

Using OCIS 5.0.6 docker image, I'm unable to upload any file using the web interface. I have Traefik in front of OCIS, and Authelia setup as external OIDC. Traefik is configured to forward auth to authelia, and login is working fine, but when I try to upload a file, there is a 401 error in the logs.

I believe the issue is one of the microservice is trying to access to OCIS by using the public url, instead of using localhost, because I see logs in traefik with requests coming from one of my docker ipv6 gateway.

Log from OCIS:

2024-08-06T20:48:04Z INF access-log bytes=0 duration=47.885004 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:34 method=POST path=/remote.php/dav/spaces/71f13446-3085-4a58-86df-aea050a78676$06c41f70-95b4-4f40-9006-bf215d037e37 proto=HTTP/1.1 remote-addr=<my client IP> request-id=a3fc6fbe-e909-4f43-822c-998b44af3c61 service=proxy status=401 traceid=5465487ca28380b091be737a4da133e6

Log from Traefik:

{"ClientAddr":"[fd9a:78e:85ba::1]:42554","ClientHost":"fd9a:78e:85ba::1","ClientPort":"42554","ClientUsername":"-","DownstreamContentSize":366,"DownstreamStatus":401,"Duration":3143168,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":3143168,"RequestAddr":"<public ocs host name>","RequestContentSize":0,"RequestCount":3380,"RequestHost":"<public OCS host name>","RequestMethod":"PATCH","RequestPath":"/data/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNzIzMDYzNjg0LCJpYXQiOjE3MjI5NzcyODQsInRhcmdldCI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTE1OC9kYXRhL3R1cy9kZDNiODE0NC1hMDg0LTRhMjctYmJkYS1kYjYzYzRlYTE1NDIifQ.Doa-P_xFcB9oV-nBPS_U6zQ_Ki4hgW8bG5pZcpPKewc","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"to-ocis@file","StartLocal":"2024-08-06T22:48:04.547730109+02:00","StartUTC":"2024-08-06T20:48:04.547730109Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-08-06T22:48:04+02:00"}

This request is forwarded by Traefik to Authelia which denies the access. Any idea if I can force the service to use localhost for connecting to other service?

rhafer commented 3 months ago

@Irda13 Please share some more information about you config. Like e.g. which env vars do you have set for the ocis container.

This request is forwarded by Traefik to Authelia which denies the access.

According to the log line you pasted it has the ocis host name in the request, why should traefik forward it to authelia? Are you sure you traefik setup is fine?