alephdata
BUG: Unable to login behind nginx proxy with basic auth.
Describe the bug Have set up docker version of aleph running on localhost:8080 Nginx is set up with a public domain name, and https and proxies everything to aleph.
location / {
proxy_pass http://127.0.0.1:8080;
auth_basic "Under Development";
auth_basic_user_file /etc/nginx/developer.htpass;
}
Without the auth_basic lines, everything works as expected. When added, the server asks for them once and allows access. However on trying to login to aleph, once the aleph user and password is supplied, there's an endless loop of asking for the nginx htauth credentials and login is never achieved.
Relevant lines, perhaps, from aleph.env ALEPH_UI_URL=https://aleph.publicdomain.com/ ALEPH_URL_SCHEME=https
In the nginx log, there are many lines like GET /api/2/metadata HTTP/1.1" 401 POST /api/2/sessions/logout HTTP/1.1" 401
Hi @plutocrat, could you check if this can be solved by setting ALEPH_FORCE_HTTPS env variable. See #2156.
Unfortunately no, I did find that issue earlier and tried it. It still doesn't make any difference: I can get to the front page with http auth accepted once, but when I log into aleph, I just get endless htauth requests.
Is there another way of putting an htauth-like password on the app? Just don't want to open it to the public while we're playing around with it ...
I think one problem may be that (after you’ve logged in) the Aleph frontend will use the Authorization header to include an API token in requests (possibly overwriting the Basic Auth credentials).
You should be able to verify this by looking at the headers and status codes of the relevant API requests in your browser’s developer tools. Please let us know when you find out more!
If that’s indeed the issue, you may be able to change the header that’s used for the API authentication to something like X-Aleph-Authorization. But that would most definitely require change the source code and rebuilding the Docker images.
Alternatively, you may be able to restrict access using a VPN. https://tailscale.com/ for example is easy to set up.
My workaround for the moment is to add IP whitelisting to the nginx config. Not ideal for remote working! But it solves the issue. Just in case this helps anyone else out, I used:
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
satisfy any;
allow 1.2.3.4;
allow 3.4.5.6;
deny all;
auth_basic "Under Development";
auth_basic_user_file /etc/nginx/developer.htpass;
}
The proxy_redirect setting was something else I tried that didn't solve the problem. Finally, as this is turning out to be an nginx config thread, I had to add client_max_body_size 80M; to the config to increase it above the rather meagre 1M default, and allow people to upload larger files.
@plutocrat Thanks for posting an update, good to hear you managed to find a workaround. I’ll keep this open, and maybe we’ll find some time to look into it, but we’re pretty busy right now and this is not a use case we support directly…
Just tried with haproxy instead of nginx. Same result. I think you're right, its something to do with the auth headers being passed back and forth between the proxy and nginx running in the docker app, but I can't figure it out at the moment.
Interesting. I also experience a redirect loop, running aleph behind Traefik as a proxy.
Anything I can do to help debugging this?
Interesting. I also experience a redirect loop, running aleph behind Traefik as a proxy.
Anything I can do to help debugging this?
A while back someone contributed an example of running Aleph behind Traefik. Perhaps that's a good starting point?
