traverseda
commented
3 years ago Are you setting APPLICATION_ROOT in flask?
Open sonicnkt opened 3 years ago
traverseda
commented
3 years ago Are you setting APPLICATION_ROOT in flask?
traverseda
commented
3 years ago Also @sonicnkt feel free to ping me if you have a question like this, I have a fair bit of experience with python/flask and I'd like to support this project. Didn't see this issues until now though.
sonicnkt
commented
3 years ago hehe i had not and stumbled upon this setting a few days ago. Didnt have time to test this yet tho. I will try this in the next few days and report back. If i cant get it to work i will gladly ask you for more support :)
traverseda
commented
3 years ago Be aware that if you're trying to use cookie sub-domains (so you can use an example.com cookie on foo.example.com) it's not going to work on localhost based domains. I think a bunch of people would probably want to use this on localhost, so it's something to be aware of.
Traefik will proxy the glauth server instead of the forbidden server when using it's "Authentication Based on Subrequest Result" equivalent, there might be a way to set up nginx similarly. I'm a bit tied in to traefik for complicated reasons, but the forward_auth stuff I'm working on assumes that glauth is proxied instead of the app we want to authenticate for.
Or it could be that you're doing this for some entirely different reason that has nothing to do with cookie domains, in which case ignore all that.
sonicnkt
commented
3 years ago Finally figured this out... And yeah this is completely unrelated to cookies and i just didn't want to serve the ui in the root of my domain but from a subdirectory.
Since we are using gunicorn for deployment this is completely configured outside of flask and no SERVER_NAME or APPLICATION_ROOT needs to be manually set if you have correct proxy forwarding working. You only have to tell gunicorn that it should serve this from a subdirectory/prefix.
To get this working add the SCRIPT_NAME environment variable to the docker-compose.yml, for example:
SCRIPT_NAME=/accountAnd configure your proxy like this (nginx):
server {
listen 443 ssl http2;
server_name subdomain.example.com;
include /etc/nginx/ssl-stuff.conf; # SSL Certificates, keys etc
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
... your other locations ...
location /account/ {
proxy_pass http://127.0.0.1:3005/account/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
}It is important that you also set the path/prefix in the proxy_pass setting.
After this everything works fine and you can access https://subdomain.example.com/account/, all generated urls are correct.
I added the following config option to solving issues using nginx as reverse proxy and serving the app in the subdirectory like
subdomain.example.com/glauth:I still cant get this to work tho and only getting 404 erros when trying to access anything. Any help on this would be very much appreciated :)
I tried:
as well as
Settings the
SERVER_NAMEtosubdomain.example.com/glauthmakes the all links look correct but it still results in 404 errors. Without the subdirectory everything works without any issues even without the server_name set.The issues is probably with some of the proxy_header settings but i dont have much experience with this.