Open IngwiePhoenix opened 6 months ago
Hello there!
I have been trying to make IP whitelisting work, but have not been successful.
Here is the whole deployment:
apiVersion: v1 kind: Namespace metadata: name: traefik-auth --- apiVersion: v1 kind: ConfigMap metadata: name: auth-cm namespace: traefik-auth data: TRUSTED_IP_ADDRESS: 192.168.1.0/24,100.64.0.0/24 AUTH_HOST: auth.birb.it COOKIE_DOMAIN: birb.it LOG_LEVEL: debug LOG_FORMAT: pretty --- apiVersion: v1 kind: Secret metadata: name: oidc-creds namespace: traefik-auth type: Opaque stringData: DEFAULT_PROVIDER: oidc SECRET: <snip> PROVIDERS_OIDC_ISSUER_URL: https://keycloak.birb.it/realms/master PROVIDERS_OIDC_CLIENT_ID: <snip> PROVIDERS_OIDC_CLIENT_SECRET: <snip> --- apiVersion: apps/v1 kind: Deployment metadata: name: auth-app namespace: traefik-auth labels: app: traefik-forward-auth spec: replicas: 1 selector: matchLabels: app: traefik-forward-auth strategy: type: Recreate template: metadata: labels: app: traefik-forward-auth spec: terminationGracePeriodSeconds: 60 containers: - name: app image: thomseddon/traefik-forward-auth:2-arm64 args: - --rule.homelab.action=allow - --rule.homelab.rule=ClientIP(`192.168.1.0/24`) ports: - containerPort: 4181 protocol: TCP envFrom: - secretRef: name: oidc-creds - configMapRef: name: auth-cm --- apiVersion: v1 kind: Service metadata: name: auth-svc namespace: traefik-auth labels: app: traefik-forward-auth spec: type: ClusterIP selector: app: traefik-forward-auth ports: - name: auth-http port: 4181 targetPort: 4181 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: auth-trm namespace: traefik-auth spec: forwardAuth: # workaround; traefik's dns ignores search domains... address: http://auth-svc.traefik-auth.svc.kube.birb.it:4181 trustForwardHeader: true authResponseHeaders: - X-Forwarded-User --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: auth-ir namespace: traefik-auth spec: entryPoints: - websecure routes: - match: Host(`auth.birb.it`) kind: Rule services: - name: auth-svc port: auth-http #passHostHeader: true #scheme: http
In the logs, I can see the request arriving and even showing the correct IP; and yet, it yeets the request to Keycloak.
time="2024-05-12T17:26:59Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=router.birb.it method=GET proto=https rule=default source_ip=192.168.1.4 uri=/ time="2024-05-12T17:26:59Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=c5dd67ee78e3fa4c824dca83a41b3f2c; Path=/; Domain=birb.it; Expires=Mon, 13 May 2024 05:26:59 GMT; HttpOnly; Secure" handler=Auth host=router.birb.it login_url="https://keycloak.birb.it/realms/master/(...snip...)" method=GET proto=https rule=default source_ip=192.168.1.4 uri=/
The "homelab" Rule I tried to use, gets completely ignored (but is loaded), and the initial config object being printed also does not seem to include the IP whitelist, too.
{ "LogLevel": "debug", "LogFormat": "pretty", "AuthHost": "auth.birb.it", "CookieDomains": [ { "Domain": "birb.it", "DomainLen": 7, "SubDomain": ".birb.it", "SubDomainLen": 8 } ], "InsecureCookie": false, "CookieName": "_forward_auth", "CSRFCookieName": "_forward_auth_csrf", "DefaultAction": "auth", "DefaultProvider": "oidc", "Domains": null, "LifetimeString": 43200, "LogoutRedirect": "", "MatchWhitelistOrDomain": false, "Path": "/_oauth", "Whitelist": null, "Providers": { "Google": { "ClientID": "", "Scope": "", "Prompt": "select_account", "LoginURL": null, "TokenURL": null, "UserURL": null }, "OIDC": { "IssuerURL": "https://keycloak.birb.it/realms/master", "ClientID": "/* snip */", "Resource": "", "Config": { /* snip */ }, "RedirectURL": "", "Scopes": [ "openid", "profile", "email" ] } }, "GenericOAuth": { "AuthURL": "", "TokenURL": "", "UserURL": "", "ClientID": "", "Scopes": [ "profile", "email" ], "TokenStyle": "header", "Resource": "", "Config": null } }, "Rules": { "homelab": { "Action": "allow", "Rule": "ClientIP(`192.168.1.0/24`)", "Provider": "oidc" } }, "Lifetime": 43200000000000, "CookieDomainsLegacy": null, "CookieSecureLegacy": "", "ClientIdLegacy": "", "PromptLegacy": "" }
Is there anything else I missed?
Thanks and kind regards, Ingwie
Hello there!
I have been trying to make IP whitelisting work, but have not been successful.
Here is the whole deployment:
In the logs, I can see the request arriving and even showing the correct IP; and yet, it yeets the request to Keycloak.
The "homelab" Rule I tried to use, gets completely ignored (but is loaded), and the initial config object being printed also does not seem to include the IP whitelist, too.
Is there anything else I missed?
Thanks and kind regards, Ingwie