Running behind reverse proxy gives wrong redirect URL #204
Comments
|
The above image illustrates the issue, the Base URL I was able to manually edit from http to https, but the Redirect URL cannot be manually changed. I think both Base URL and Redirect URL should have been using https, since I'm accessing Fenrus over a HTTPS url. |
|
that redirect URL is computed from the request the server is getting. its just a hint really. |
|
Mmm. Not quite. Something weird is going on. I have the same issue, same setup as OP. If I change the redirect URI to
While if I keep the
Any ideas? |
|
Yes this is exactly what I'm running into aswell. |
|
agree. I tried to point this out several months ago and my issue was closed. |
|
like I said its computed. Its what the request comes through as, so if you setup your reverse proxy to go to the HTTP protocol, then it will see the request coming from HTTP and give that. Theres 2 ports you can configure 3000 == http my portainer for fenrus my nginx proxy manager to fenrus |
|
that does not work either. I mapped port 3001 to 4000, went to https://docker-ip:3001, and the page cannot be loaded. if I go to http://docker-ip:3000 it loads up with the initial config. |
|
I just created a PR for @revenz to review in which I have solved this issue: For those who would like to test it already before revenz checks the PR, feel free to pull this image: Please let me know if someone tests if if they run into any issues, I'm personally able to use Fenrus now with Keycloak as oauth authentication, behind a HAproxy doing SSL offloading, and a nginx reverse proxy, being my kubernetes ingress controller. |
|
Another optoin is to set the enviromental variables
I'm using it behind a reverse proxy, going through cloudflare, to nginx proxy manager, to fenrus, using googles oauth. without any additional changes. so there must be a simplier way, something that im just missing in the docs. |
|
Hello @revenz, But aren't you hosting your app in https mode then? because I see you also install the dotnet dev cert in the final container. I would like to run the app in http mode, since complete Ssl termination is done in my loadbalancer, all traffic afterwards, continues on port 80, so the app doesn't have to run in https mode, it just needs to use the correct X-Forward-X headers to correctly generate urls like for Auth. |
|
Sorry to bring this up 2 years later, but I'm having a similar issue here, it's being forwarded the correct headers, but it's still using an invalid redirect URL Getting a 500 error at https://fenrus..ca/signin-oidc after it warns about sending an insecure form, I have a session active due to logging in on another (Dashy, which is working properly) |
|
hello @viperfan7, do you also get a http redirect uri? because the link you shared is https. Could you give a bit more information? |
Indeed I do |
|
@viperfan7 and how e is your setup? How does traffic reach your application? Did you already check the reverse proxy settings in the Readme? You need to set it up correctly, else .NET will just ignore the x-forwarded-x headers and you will get this behavior too if I remember correctly. |
|
I'll have to try it again, make sure I go though it exactly as described.
Since I just can't remember.
If it doesn't work I'll toss a backup of the container here as well as the
config for NPM for this specifically.
I'll try setting up a separate realm for it as well so I can just export
that and not worry about people seeing it, or a second keycloak instance.
…On Sat., Jan. 25, 2025, 1:41 p.m. Jeroen Nederlof, ***@***.***> wrote:
@viperfan7 <https://github.com/viperfan7> and how e is your setup? How
does traffic reach your application?
Did you already check the reverse proxy settings in the Readme? You need
to set it up correctly, else .NET will just ignore the x-forwarded-x
headers and you will get this behavior too if I remember correctly.
—
Reply to this email directly, view it on GitHub
<#204 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABDW3IDMZKHO2L5MIBBC4232MPLG3AVCNFSM6AAAAABVYUKX2KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJUGA3DCMZSHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hello @revenz,
I'm trying to run Fenrus on my kubernetes cluster, with using OIDC authentication from Keycloak. But the redirect url that is being configured is http, instead of https which gives me certificate issues.
I'm running it behind a reverse proxy which does SSL termination for me.
Could you tell me if there is a way to configure this setup, or what I'm doing wrong?
With kind regards,
Maaroen
The text was updated successfully, but these errors were encountered: