vouch-proxy: too many redirects using duckdns.org domains
Hi,
I also have the most popular issue here.
Too many redirects and no jwt found in request.
In my case the difference is that I don’t have a domain, rather I’m using duckdns.org service and I don’t know if it will work at all so…
I’ve created 2 subdomains mydomain.duckdns.org and login-mydomain.duckdns.org
Here’s my vouch config:
testing: true
cookie:
domain: duckdns.org
name: VouchCookie
secure: true
httpOnly: true
allowAllUsers: true
oauth:
provider: oidc
client_id: XXXXXXXXXXX
client_secret: XXXXXXXXXXX
auth_url: https://dev-254313.okta.com/oauth2/default/v1/authorize
token_url: https://dev-254313.okta.com/oauth2/default/v1/token
user_info_url: https://dev-254313.okta.com/oauth2/default/v1/userinfo
scopes:
- openid
- email
- profile
callback_url: https://login-++++++++++.+++++++.+++/auth
And my nginx config:
server {
listen 443 ssl; # managed by Certbot
server_name login-mydomain.duckdns.org;
# Proxy to your Vouch instance
location / {
proxy_pass http://127.0.0.1:9090;
proxy_set_header Host $http_host;
}
ssl_certificate /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.duckdns.org/privkey.pem; # managed by Certbot
}
server {
server_name mydomain.duckdns.org;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Any request to this server will first be sent to this URL
auth_request /validate;
location = /validate {
# This address is where Vouch will be listening on
proxy_pass http://127.0.0.1:9090/validate;
proxy_set_header Host $http_host;
proxy_pass_request_body off; # no need to send the POST body
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# these return values are passed to the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
error_page 401 = @error401;
#If the user is not logged in, redirect them to Vouch's login URL
location @error401 {
return 302 https://login-mydomain.duckdns.org/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
location / {
proxy_pass http://localhost:1880/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.duckdns.org/privkey.pem; # managed by Certbot
}
server {
if ($host = mydomain.duckdns.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.duckdns.org;
return 404; # managed by Certbot
}
And finally the log:
{"level":"info","ts":1564811271.6428761,"msg":"jwt.secret read from /home/pi/vouch-proxy/config/secret"}
{"level":"warn","ts":1564811271.6439126,"msg":"generating random session.key"}
{"level":"info","ts":1564811271.645211,"msg":"configuring oidc OAuth with Endpoint https://dev-254313.okta.com/oauth2/default/v1/authorize"}
{"level":"info","ts":1564811271.6522284,"msg":"starting Vouch","version":"98e009a","buildtime":"2019-07-29T19:44:07Z","buildhost":"nginxpi","branch":"master","semver":"v0.6.4","listen":"0.0.0.0:9090","oauth.provider":"oidc"}
{"level":"error","ts":1564811280.29344,"msg":"no jwt found in request"}
{"level":"warn","ts":1564811280.294039,"msg":"domain mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811280.2944045,"msg":"|401| 918.908µs /validate","statusCode":401,"request":1,"latency":0.000918908,"avgLatency":0.000918908,"ipPort":"127.0.0.1:51596","method":"GET","host":"mydomain.duckdns.org","path":"/validate","referer":""}
{"level":"warn","ts":1564811280.6684415,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811280.6712873,"msg":"|302| 3.069538ms /login","statusCode":302,"request":2,"latency":0.003069538,"avgLatency":0.001994223,"ipPort":"127.0.0.1:51598","method":"GET","host":"login-mydomain.duckdns.org","path":"/login","referer":""}
{"level":"info","ts":1564811292.743179,"msg":"OpenID userinfo body: %!(EXTRA string={\"sub\":\"00u10sz2uca2AL8Do357\",\"name\":\"xxxx xxxxxxx\",\"locale\":\"en-US\",\"email\":\"xxxxxxx@gmail.com\",\"preferred_username\":\"xxxxxxx@gmail.com\",\"given_name\":\"xxxx\",\"family_name\":\"xxxxxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":1564463612,\"email_verified\":true})"}
{"level":"warn","ts":1564811292.7596512,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811292.7618918,"msg":"|302| 2.568484708s /auth","statusCode":302,"request":3,"latency":2.568484708,"avgLatency":0.857491051,"ipPort":"127.0.0.1:51600","method":"GET","host":"login-mydomain.duckdns.org","path":"/auth","referer":""}
{"level":"error","ts":1564811292.7774441,"msg":"no jwt found in request"}
{"level":"warn","ts":1564811292.7780569,"msg":"domain mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811292.7784107,"msg":"|401| 943.908µs /validate","statusCode":401,"request":4,"latency":0.000943908,"avgLatency":0.643354266,"ipPort":"127.0.0.1:51604","method":"GET","host":"mydomain.duckdns.org","path":"/validate","referer":""}
{"level":"warn","ts":1564811292.7923298,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811292.7970688,"msg":"|302| 4.813604ms /login","statusCode":302,"request":5,"latency":0.004813604,"avgLatency":0.515646134,"ipPort":"127.0.0.1:51606","method":"GET","host":"login-mydomain.duckdns.org","path":"/login","referer":""}
{"level":"info","ts":1564811293.9997418,"msg":"OpenID userinfo body: %!(EXTRA string={\"sub\":\"00u10sz2uca2AL8Do357\",\"name\":\"xxxx xxxxxxx\",\"locale\":\"en-US\",\"email\":\"xxxxxxx@gmail.com\",\"preferred_username\":\"xxxxxxx@gmail.com\",\"given_name\":\"xxxx\",\"family_name\":\"xxxxxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":1564463612,\"email_verified\":true})"}
{"level":"warn","ts":1564811294.0172899,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811294.020052,"msg":"|302| 921.930437ms /auth","statusCode":302,"request":6,"latency":0.921930437,"avgLatency":0.583360184,"ipPort":"127.0.0.1:51608","method":"GET","host":"login-mydomain.duckdns.org","path":"/auth","referer":""}
{"level":"error","ts":1564811294.0317314,"msg":"no jwt found in request"}
{"level":"warn","ts":1564811294.0321395,"msg":"domain mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811294.0324323,"msg":"|401| 679.95µs /validate","statusCode":401,"request":7,"latency":0.00067995,"avgLatency":0.500120151,"ipPort":"127.0.0.1:51610","method":"GET","host":"mydomain.duckdns.org","path":"/validate","referer":""}
{"level":"warn","ts":1564811294.0429945,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811294.0461886,"msg":"|302| 3.255632ms /login","statusCode":302,"request":8,"latency":0.003255632,"avgLatency":0.438012087,"ipPort":"127.0.0.1:51612","method":"GET","host":"login-mydomain.duckdns.org","path":"/login","referer":""}
{"level":"info","ts":1564811295.2238116,"msg":"OpenID userinfo body: %!(EXTRA string={\"sub\":\"00u10sz2uca2AL8Do357\",\"name\":\"xxxx xxxxxxx\",\"locale\":\"en-US\",\"email\":\"xxxxxxx@gmail.com\",\"preferred_username\":\"xxxxxxx@gmail.com\",\"given_name\":\"xxxx\",\"family_name\":\"xxxxxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":1564463612,\"email_verified\":true})"}
{"level":"warn","ts":1564811295.239589,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811295.2417097,"msg":"|302| 858.309363ms /auth","statusCode":302,"request":9,"latency":0.858309363,"avgLatency":0.484711784,"ipPort":"127.0.0.1:51614","method":"GET","host":"login-mydomain.duckdns.org","path":"/auth","referer":""}
{"level":"error","ts":1564811295.2560842,"msg":"no jwt found in request"}
{"level":"warn","ts":1564811295.2566383,"msg":"domain mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811295.2570825,"msg":"|401| 903.543µs /validate","statusCode":401,"request":10,"latency":0.000903543,"avgLatency":0.43633096,"ipPort":"127.0.0.1:51616","method":"GET","host":"mydomain.duckdns.org","path":"/validate","referer":""}
{"level":"warn","ts":1564811295.2691314,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811295.2720904,"msg":"|302| 2.991517ms /login","statusCode":302,"request":11,"latency":0.002991517,"avgLatency":0.396936466,"ipPort":"127.0.0.1:51618","method":"GET","host":"login-mydomain.duckdns.org","path":"/login","referer":""}
{"level":"info","ts":1564811296.3716736,"msg":"OpenID userinfo body: %!(EXTRA string={\"sub\":\"00u10sz2uca2AL8Do357\",\"name\":\"xxxx xxxxxxx\",\"locale\":\"en-US\",\"email\":\"xxxxxxx@gmail.com\",\"preferred_username\":\"xxxxxxx@gmail.com\",\"given_name\":\"xxxx\",\"family_name\":\"xxxxxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":1564463612,\"email_verified\":true})"}
{"level":"warn","ts":1564811296.3934019,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811296.396406,"msg":"|302| 820.775427ms /auth","statusCode":302,"request":12,"latency":0.820775427,"avgLatency":0.432256379,"ipPort":"127.0.0.1:51620","method":"GET","host":"login-mydomain.duckdns.org","path":"/auth","referer":""}
{"level":"error","ts":1564811296.434284,"msg":"no jwt found in request"}
{"level":"warn","ts":1564811296.43474,"msg":"domain mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811296.4350607,"msg":"|401| 746.929µs /validate","statusCode":401,"request":13,"latency":0.000746929,"avgLatency":0.399063345,"ipPort":"127.0.0.1:51622","method":"GET","host":"mydomain.duckdns.org","path":"/validate","referer":""}
{"level":"warn","ts":1564811296.4487345,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811296.451844,"msg":"|302| 3.182194ms /login","statusCode":302,"request":14,"latency":0.003182194,"avgLatency":0.37078612,"ipPort":"127.0.0.1:51624","method":"GET","host":"login-mydomain.duckdns.org","path":"/login","referer":""}
{"level":"info","ts":1564811297.3613815,"msg":"OpenID userinfo body: %!(EXTRA string={\"sub\":\"00u10sz2uca2AL8Do357\",\"name\":\"xxxx xxxxxxx\",\"locale\":\"en-US\",\"email\":\"xxxxxxx@gmail.com\",\"preferred_username\":\"xxxxxxx@gmail.com\",\"given_name\":\"xxxx\",\"family_name\":\"xxxxxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":1564463612,\"email_verified\":true})"}
{"level":"warn","ts":1564811297.3736796,"msg":"domain login-mydomain.duckdns.org not found in any domains []"}
{"level":"info","ts":1564811297.3754253,"msg":"|302| 621.531881ms /auth","statusCode":302,"request":15,"latency":0.621531881,"avgLatency":0.387502504,"ipPort":"127.0.0.1:51626","method":"GET","host":"login-mydomain.duckdns.org","path":"/auth","referer":""}
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 42 (20 by maintainers)
Vouch relies on the ability to share a cookie between the Vouch domain and the application it’s protecting, it will not work if Vouch is on a completely different domain. One way to do this is to use different subdomains off of a domain you control. Depending on your other Vouch config settings, you might need to tell Vouch what domain to set the cookie on so that it will be visible by everything by using the
vouch.cookie.domainsetting as described above.