vouch-proxy: Too many redirects
I apologise – I’ve read through just about all of the issues, perused the source and still can’t nut this out. I think I’m losing my touch!
My nginx configuration is shown below. My internal “protected” app and vouch are behind the same nginx proxy:
server {
listen 80;
listen [::]:80;
server_name cloud.reid.ee;
return 301 https://$host$request_uri;
}
# Vouch
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vouch.reid.ee;
include /config/nginx/ssl.conf;
location / {
proxy_set_header Host vouch.reid.ee;
proxy_pass http://172.16.1.82:9090;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name cloud.reid.ee;
include /config/nginx/ssl.conf;
root /config/www;
index index.html index.htm index.php;
auth_request /validate;
location = /validate {
internal;
proxy_pass http://172.16.1.82:9090;
proxy_set_header Host cloud.reid.ee;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
location /sonarr {
proxy_pass http://mogul.reid.ee:8989;
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
}
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 https://vouch.reid.ee/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
}
My vouch config.yml
is pretty straight-forward and it successfully interacts with Google:
vouch:
logLevel: debug
listen: 0.0.0.0
port: 9090
domains:
- reid.ee
whiteList:
- ndrewreid@gmail.com
- andrew@reid.ee
oauth:
provider: google
client_id: xxxxx
client_secret: xxxxx
callback_urls:
- https://vouch.reid.ee/auth
preferredDomain: reid.ee
When I hit my protected location, cloud.reid.ee/sonarr
, I’m redirected via /validate
to Google, where I’m successfully redirected back to vouch.reid.ee/auth
. The logs seem to indicate that my session state is matched, the username is found in the whitelist and, hey, it should be happy days. It seems as though /auth
responds with a 302
to /validate
again, where my domain isn’t seen as authorised, but also found as a matched array value:
{"level":"debug","ts":1554723612.927297,"msg":"*ptokenCLaims: {andrew@reid.ee [] { 1554738012 0 Vouch 0 }}"}
{"level":"info","ts":1554723612.9294083,"msg":"jwt cookie","username":"andrew@reid.ee"}
{"level":"error","ts":1554723612.9306395,"msg":"http header 'Host: cloud.reid.ee' not authorized for configured `vouch.domains` (is Host being sent properly?)"}
{"level":"debug","ts":1554723612.9322002,"msg":"domain cloud.reid.ee matched array value at [0]=reid.ee"}
{"level":"debug","ts":1554723612.9332013,"msg":"CaptureWriter.Write set w.StatusCode Ƒ"}
{"level":"debug","ts":1554723612.9341297,"msg":"Request handled successfully: 401"}
Now, I’ve been trying all manner of variations on the setting the Host
header theme as mentioned in README.md
without success. I’m sorry to bother – but can you point me in the right direction?
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 22 (13 by maintainers)
@andrewreid the config looks generally with the exception of the
proxy_set_header Host cloud.reid.ee;
noted above.Please use
v0.5.9
pushed today@andrewreid OMG you’re right, I had an entirely different understanding. I’ll update the README shortly.