Skip to content

Trusted IP's broken...? #375

New issue
New issue
Open
Open
Trusted IP's broken...?#375
@IngwiePhoenix

Description

@IngwiePhoenix
IngwiePhoenix
opened on May 12, 2024

Hello there!

I have been trying to make IP whitelisting work, but have not been successful.

Here is the whole deployment:

apiVersion: v1
kind: Namespace
metadata:
  name: traefik-auth
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: auth-cm
  namespace: traefik-auth
data:
  TRUSTED_IP_ADDRESS: 192.168.1.0/24,100.64.0.0/24
  AUTH_HOST: auth.birb.it
  COOKIE_DOMAIN: birb.it
  LOG_LEVEL: debug
  LOG_FORMAT: pretty
---
apiVersion: v1
kind: Secret
metadata:
  name: oidc-creds
  namespace: traefik-auth
type: Opaque
stringData:
  DEFAULT_PROVIDER: oidc
  SECRET: <snip>
  PROVIDERS_OIDC_ISSUER_URL: https://keycloak.birb.it/realms/master
  PROVIDERS_OIDC_CLIENT_ID: <snip>
  PROVIDERS_OIDC_CLIENT_SECRET: <snip>
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth-app
  namespace: traefik-auth
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: app
          image: thomseddon/traefik-forward-auth:2-arm64
          args:
            - --rule.homelab.action=allow
            - --rule.homelab.rule=ClientIP(`192.168.1.0/24`)
          ports:
            - containerPort: 4181
              protocol: TCP
          envFrom:
            - secretRef:
                name: oidc-creds
            - configMapRef:
                name: auth-cm
---
apiVersion: v1
kind: Service
metadata:
  name: auth-svc
  namespace: traefik-auth
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: 4181
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-trm
  namespace: traefik-auth
spec:
  forwardAuth:
    # workaround; traefik's dns ignores search domains...
    address: http://auth-svc.traefik-auth.svc.kube.birb.it:4181
    trustForwardHeader: true
    authResponseHeaders:
      - X-Forwarded-User
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: auth-ir
  namespace: traefik-auth
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.birb.it`)
      kind: Rule
      services:
        - name: auth-svc
          port: auth-http
          #passHostHeader: true
          #scheme: http

In the logs, I can see the request arriving and even showing the correct IP; and yet, it yeets the request to Keycloak.

time="2024-05-12T17:26:59Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=router.birb.it method=GET proto=https rule=default source_ip=192.168.1.4 uri=/
time="2024-05-12T17:26:59Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=c5dd67ee78e3fa4c824dca83a41b3f2c; Path=/; Domain=birb.it; Expires=Mon, 13 May 2024 05:26:59 GMT; HttpOnly; Secure" handler=Auth host=router.birb.it login_url="https://keycloak.birb.it/realms/master/(...snip...)" method=GET proto=https rule=default source_ip=192.168.1.4 uri=/

The "homelab" Rule I tried to use, gets completely ignored (but is loaded), and the initial config object being printed also does not seem to include the IP whitelist, too.

{
  "LogLevel": "debug",
  "LogFormat": "pretty",
  "AuthHost": "auth.birb.it",
  "CookieDomains": [
    {
      "Domain": "birb.it",
      "DomainLen": 7,
      "SubDomain": ".birb.it",
      "SubDomainLen": 8
    }
  ],
  "InsecureCookie": false,
  "CookieName": "_forward_auth",
  "CSRFCookieName": "_forward_auth_csrf",
  "DefaultAction": "auth",
  "DefaultProvider": "oidc",
  "Domains": null,
  "LifetimeString": 43200,
  "LogoutRedirect": "",
  "MatchWhitelistOrDomain": false,
  "Path": "/_oauth",
  "Whitelist": null,
  "Providers": {
    "Google": {
      "ClientID": "",
      "Scope": "",
      "Prompt": "select_account",
      "LoginURL": null,
      "TokenURL": null,
      "UserURL": null
    },
    "OIDC": {
      "IssuerURL": "https://keycloak.birb.it/realms/master",
      "ClientID": "/* snip */",
      "Resource": "",
      "Config": { /* snip */ },
        "RedirectURL": "",
        "Scopes": [
          "openid",
          "profile",
          "email"
        ]
      }
    },
    "GenericOAuth": {
      "AuthURL": "",
      "TokenURL": "",
      "UserURL": "",
      "ClientID": "",
      "Scopes": [
        "profile",
        "email"
      ],
      "TokenStyle": "header",
      "Resource": "",
      "Config": null
    }
  },
  "Rules": {
    "homelab": {
      "Action": "allow",
      "Rule": "ClientIP(`192.168.1.0/24`)",
      "Provider": "oidc"
    }
  },
  "Lifetime": 43200000000000,
  "CookieDomainsLegacy": null,
  "CookieSecureLegacy": "",
  "ClientIdLegacy": "",
  "PromptLegacy": ""
}

Is there anything else I missed?

Thanks and kind regards,
Ingwie

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions