search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.91k stars 367 forks source link

HTTP Proxy: Username/Password Mismatch #1176

Open TuRDMaN opened 2 years ago

TuRDMaN commented 2 years ago

Is this urgent?

Yes

Host OS

Almalinux

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2022-09-14T13:28:28.429Z (commit e5be20d)

What's the problem 🤔

I am trying to use the environment variables to set a username and/or password

environment:
      - HTTPPROXY_USER=username
      - HTTPPROXY_PASSWORD=password

When I attempt to connect to the HTTP proxy using those credentials, I get the following error in my logs: Username or password mismatch from <ip:port>

This happens if I set just a username, or a username and password.

I assume I'm doing something wrong, but I can't figure out what.

It works fine if I don't require username/password, but I don't want to have this exposed on the web without password protection. Or I'd be happy with just allowing LAN clients to access the HTTP proxy, but I haven't figured out how to do that either.

Share your logs

INFO [vpn] You are running on the bleeding edge of latest!
2022-09-30T16:37:47-04:00 INFO [http proxy] Username or password mismatch from <ip>:<port>

Share your configuration

services:
  ######
  vpn: #
  ######
    container_name: gluetun
    image: qmcgaw/gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      #- 8388:8388/tcp # Shadowsocks
      #- 8388:8388/udp # Shadowsocks
    volumes:
      - /opt/containers/vpn/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - OPENVPN_USER=user
      - OPENVPN_PASSWORD=password
      - SERVER_COUNTRIES=United States
      - FREE_ONLY=on
      - HTTPPROXY=on
      - HTTPPROXY_USER=user
      - HTTPPROXY_PASSWORD=password
      - FIREWALL=on
      - BLOCK_SURVEILLANCE=on
      - BLOCK_ADS=off
      - DNS_KEEP_NAMESERVER=on
      - PUBLICIP_FILE=/gluetun/ip
      - LOG_LEVEL=info
      - HTTPPROXY_LOG=on
      - HTTP_CONTROL_SERVER_LOG=on
      - SHADOWSOCKS_LOG=on
      - HEALTH_VPN_DURATION_ADDITION=10s
      - UPDATER_PERIOD=24h
      - VERSION_INFORMATION=on
      - DOT=off
      - BLOCK_MALICIOUS=on
      - HOST_HOSTNAME=my.host
      - HTTPPROXY_STEALTH=off
      - HTTPPROXY_LISTENING_ADDRESS=:8888
      - SHADOWSOCKS_LISTENING_ADDRESS=:8388
      - HTTP_CONTROL_SERVER_ADDRESS=:8000
qdm12 commented 2 years ago

It works fine if I don't require username/password, but I don't want to have this exposed on the web without password protection. Or I'd be happy with just allowing LAN clients to access the HTTP proxy, but I haven't figured out how to do that either.

:warning: Communication client -> HTTP proxy is unencrypted so that means your http proxy credentials can be spied on, as well as http (not https) traffic. You might want to use shadowsocks if you want to expose it outside a safe network (or even within a safe network). The HTTP proxy is really here for devices like TVs that only support this.

Now, back to the http proxy (and I'd be happy if you figure out the reason it was failing), commit cb804577a93d77c2b2739ebc7cd1e5f58ca2ec21 now logs the credentials sent from the user (so re-pull the latest image), do you spot anything obvious? Have you tried with dumb http proxy user and password i.e. abc?

TuRDMaN commented 2 years ago

Thanks for following up, and sorry for the slow reply.

I set up a dummy user/pass, but when I try to connect using those credentials, it looks like it's not receiving the username/password from the client correctly: 2022-10-07T13:18:02-04:00 INFO [http proxy] Username ("") or password ("") mismatch from <ip>:<port>

qdm12 commented 2 years ago

What's your HTTP proxy client?

TuRDMaN commented 2 years ago

I was just trying it out with my web browser (using the SwitchyOmega extension)

qdm12 commented 2 years ago

From the top of my head, I recall authentication isn't supported on chrome + switchy omega + http proxy. You can authenticate with an https proxy or socks5 though (not implemented in gluetun yet). Maybe I'm mistaken, but I have some foggy memory about pulling my hair over that one.

tylerwmarrs commented 1 year ago

I was testing out FoxyProxy browser extension and I run into the same issue as @TuRDMaN . No deal breaker for me as I can leave the credentials off in my homelab.