Infinite re-directs when I set `allowAllUsers: false`. about vouch-proxy HOT 7 CLOSED

Got it... I needed to set the Host header in two places.

From the README:

location = /validate {
      # Vouch Proxy can run behind the same nginx-revproxy
      # May need to add "internal", and comply to "upstream" server naming
      proxy_pass http://vouch.yourdomain.com:9090;

      # Vouch Proxy only acts on the request headers
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";

    #[snip]
}

I'd obviously looked past the fact that the proxy_pass directive here contains a hostname, whereas in my case I was pointing to an IP:port combo.

So yes, this location block required the addition of:

proxy_set_header Host login.example.com; # or vouch.example.com going by the doc's naming scheme.

Funnily enough I'd already done this elsewhere in the code, as the documentation specificly states a few lines down:

If Vouch is configured behind the same nginx reverseproxy (perhaps so you can configure ssl) be sure to pass the Host header properly, otherwise the JWT cookie cannot be set into the domain.

server {
    listen 80 default_server;
    server_name vouch.yourdomain.com;
    location / {
       proxy_set_header Host vouch.yourdomain.com;
       proxy_pass http://127.0.0.1:9090;
    }
}

It's late, and perhaps I've missed somethiing but this appears to be working now. What I can't understand is why this error wouldn't have been caught with allowAllUsers: true. Perhaps this signifies another bug?

Either way, thanks for your assistance. I plan to do some more testing tomorrow and make sure non-whitelisted users can't get access, etc.

from vouch-proxy.

thanks for the detailed report

you may prefer turning on vouch.testing: true while you approach the problem which will both help you see what Vouch Proxy is doing as well as slow down the interactions with GitHub.

The config looks sound though the oauth.scopes: is suspect. I think you'd want to remove that to set - user on your behalf.

And of course logLevel: debug might be helpful

Try those and see if it helps.

from vouch-proxy.

Thanks for the prompt reply, I'll definitely keep you updated.

As for the scopes thing, I didn't actually want the user scope, which appears to be the default. I'm happy with just read-only perms on the user's github account. I'm not sure if this would cause a problem when allowAllUsers: false is applied, but I can certainly test with this setting removed.

from vouch-proxy.

from vouch-proxy.

That doesn't appear to be the case. With the 2 scope related lines commented out (thus including the user scope), and allowAllUsers:false I still have the redirect looping issue. Also without the user scope vouch seems to be getting access to the user info, infact with the broken config (allowAllUsers:false) (and my original scope excluding lines present) I get the following behaviour:

When I hit my protected endpoint with testing on, Vouch catches a redirect to 302 redirect to: https://github.com/login/oauth/authorize?client_id=[SNIPasdlkjasldkjasd]&response_type=code&scope=&state=[SNIPalksdjalsdjalksdjaksd].

I click this link and the debug log actually shows (among other stuff):

time="2019-01-28T22:59:23Z" level=info msg="github userinfo body: ***Big load of json relating to account***
time="2019-01-28T22:59:23Z" level=debug msg="found user.Username in WhiteList: vulcan25"
time="2019-01-28T22:59:23Z" level=error msg="no bucket for users"
time="2019-01-28T22:59:23Z" level=debug msg="new user.. setting created on to 1223234[SNIP]"

But then proceeds to catch a redirect back to my endpoint which when I follow it, vouch debug shows (among other stuff):

time="2019-01-28T23:00:19Z" level=info msg="jwt cookie" username=vulcan25
time="2019-01-28T23:00:19Z" level=error msg="not authorized for 172.31.41.62:9090"
time="2019-01-28T23:00:19Z" level=debug msg="domain matched array value at [0]=example.com"
time="2019-01-28T23:00:19Z" level=debug msg="setting the cookie domain to example.com"
time="2019-01-28T23:00:19Z" level=debug msg="CaptureWriter.WriteHeader set w.StatusCode 401"
time="2019-01-28T23:00:19Z" level=debug msg="Request handled successfully: 401"

Where'as the working configuration (with allowAllUsers=true) at this stage shows:

time="2019-01-28T22:55:17Z" level=debug msg="skipping verify user since cfg.Cfg.AllowAllUsers is true"

then when I follow the end point redirect:

time="2019-01-28T22:55:53Z" level=info msg="jwt cookie" username=vulcan25
time="2019-01-28T22:55:53Z" level=debug msg="response header" X-Vouch-User=vulcan25
time="2019-01-28T22:55:53Z" level=debug msg="CaptureWriter.Write set w.StatusCode 200"
time="2019-01-28T22:55:53Z" level=debug msg="Request handled successfully: 200"

There's obviously more to these log files, though.

from vouch-proxy.

"not authorized for 172.31.41.62:9090" doesn't look right

that comes from this block:
https://github.com/vouch/vouch-proxy/blob/master/handlers/handlers.go#L182-L184

That checks to confirm that the Host is authorized for one of the configured domains.

Please check that your nginx config is passing the Host header to Vouch Proxy properly

from vouch-proxy.

glad it's working now, happy to help

closing

from vouch-proxy.