authelia: rd query parameter is not url-encoded

First off: Thanks for this awesome project, it works nicely in my traefik setup.

I have an issue when redirecting from more complicated url’s then my subdomains. (Redirecting on specific resources instead of the whole page.) When the redirection url contains a query string, it terminates the rd variable, because it is not escaped, which then results in a redirect to the original site without it’s query variables.

E.g. in my setup I have something like https://redacted.org/auth/authorize?response_type=code&..., which gets redirected to authelia, which results in https://login.redacted.org/#/?rd=https://redacted.org/auth/authorize?response_type=code&.... After authentication I am redirected to https://redacted.org/auth/authorize missing any previous query arguments.

I suppose the redirection url should be escaped to be url-safe once extracted from traefiks headers and decoded again for the actual redirect.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 23 (14 by maintainers)

Commits related to this issue

Most upvoted comments

Sure; here is the relevant snippet:

version: '3'

networks:
  traefik:
    external: true

traefik2:
    image: traefik
    container_name: traefik2
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${CONFIG_DIR}/traefik2/config/acme.json:/acme.json
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    command:
      - '--api.dashboard=true'
      - '--log.level=DEBUG'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.https.address=:443'
      - '--providers.docker'
      - '--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL}'
      - '--certificatesresolvers.cloudflare.acme.storage=/acme.json'
      - '--certificatesresolvers.cloudflare.acme.dnschallenge=true'
      - '--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare'
      - '--certificatesResolvers.cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53'
    labels:
      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=http'
      - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'
      - 'traefik.http.routers.letsencrypt.tls.certresolver=cloudflare'
      - 'traefik.http.routers.letsencrypt.tls.domains[0].main=${DOMAIN}'
      - 'traefik.http.routers.letsencrypt.tls.domains[0].sans=*.${DOMAIN}'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}'
      - 'traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true'
      # Dashboard
      - 'traefik.http.routers.traefik.rule=Host(`traefik2.${DOMAIN}`)'
      - 'traefik.http.routers.traefik.tls=true'
      - 'traefik.http.routers.traefik.entrypoints=https'
      - 'traefik.http.routers.traefik.service=api@internal'
      - 'traefik.http.routers.traefik.middlewares=authelia@docker'
    restart: unless-stopped

authelia:
    image: authelia/authelia:master
    container_name: authelia
    environment:
      - NODE_TLS_REJECT_UNAUTHORIZED=1
    volumes:
      - ${CONFIG_DIR}/authelia/config:/etc/authelia
    networks:
      - traefik
    labels:
      - 'traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.middlewares=authelia@docker'
    depends_on:
      - traefik2
    restart: unless-stopped

filebrowser:
    image: filebrowser/filebrowser
    container_name: filebrowser
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
    volumes:
      - ${CONFIG_DIR}/filebrowser/config/filebrowser.json:/.filebrowser.json
      - ${CONFIG_DIR}/filebrowser/config/filebrowser.db:/filebrowser.db
    networks:
      - traefik
    labels:
      - 'traefik.http.routers.filebrowser.rule=Host(`filebrowser.${DOMAIN}`)'
      - 'traefik.http.routers.filebrowser.tls=true'
      - 'traefik.http.routers.filebrowser.entrypoints=https'
      - 'traefik.http.routers.filebrowser.middlewares=authelia@docker'
    depends_on:
      - traefik2
    restart: unless-stopped
+2
726a67 on Jan 18, 2020

@tlvenn , I will provide the fix of URL encoding this week. @nightah , I think it should solve most issues and then, when it’s implemented, we can see if there is still an issue with Traefik 2.0.

+2
clems4ever on Jan 13, 2020

Well it really was a simple misconfiguration issue it appears, the issue I was having was due to single quotes vs double quotes and how that’s interpreted by Docker.

Thanks @726a67!

+1
nightah on Jan 18, 2020

@tlvenn/@clems4ever looks like the issue is limited to Traefik2 when utilising the docker provider and specifically when defining the authelia middleware with labels.

@clems4ever initial implementation for Traefik 2.x was with a file based provider because I was unsure if there would be any conflict with Traefik 1.x labels, commit can be viewed at https://github.com/authelia/authelia/commit/55612957aba6a71244eb0e1a8a3842137d317b35. This resulted in https://buildkite.com/authelia/authelia/builds/126#c1a31cd6-556e-46c7-905a-3ca9af38b1ba.

After this I refactored from a file based provider to utilise the docker provider along with the respective Traefik 2.x labels commit can be viewed at https://github.com/authelia/authelia/commit/86fdf4dc4949856dbb5adcff8a43a15a21e753e0. This resulted in https://buildkite.com/authelia/authelia/builds/127#5aca33da-2f56-4111-81af-873b185e3969.

Looking at the Traefik logs, it appears the Referer and RequestURI is being stripped when utilising the docker provider.

With further investigation, it looks like it’s actually ONLY the middleware definition via the docker provider that causes this specific symptom.

So if we move the middleware definition to be a file based provider and reference that from the container with a label like such: https://github.com/authelia/authelia/commit/34454af65e4fd7301604b916a200c9cee8d60b21 we have Authelia working with Traefik 2.x and are able to utilise all of the fancy service discovery, etc associated with that provider, you can see the test results at https://buildkite.com/authelia/authelia/builds/128#0e1dee49-56d5-44bb-bdfc-42443ac13654.

Clearly there’s something odd going on with Traefik because the behaviour differs depending on how the routes are defined (read: providers). I’d be curious to see if URL encoding actually resolves this issue with the middlewares, but I’ll leave that to you @clems4ever, please utilise the branch as you see fit.

For anybody that wants to utilise Traefik 2.x right now, the configuration discussed and detailed above work.

+1
nightah on Jan 14, 2020

I am facing the same issue and as pointed in #500, it’s not even just with a complicated redirect url / querystring, a simple domain with Traefik 2.0 will not work as https:// will be replaced with https:/

+1
tlvenn on Dec 12, 2019
Read more comments on GitHub
← authelia: panic: runtime error: index out of range [-1]
authelia: Remote error: tls: bad certificate with traefik v2 key + cert →