DEVHIDE
Login Or Sign up

unauthorized login after adding traefik

145 Views Asked by At

I just added Traefik to a project that I'm working on, and when I'm trying to login I get a 401 Unauthorized. The authentication process was working fine before.

The authentication is an sso based on SPNEGO, Kerberos and ldap.

I logged in the login service the header params that I receive in the request:

host<=>serverB:7012
user-agent<=>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
accept<=>application/json, text/plain, */*
accept-encoding<=>gzip, deflate, br
accept-language<=>fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,ar;q=0.6
cache-control<=>no-cache
expires<=>Sat, 01 Jan 2000 00:00:00 GMT
origin<=>https://serverA:8780
pragma<=>no-cache
referer<=>https://serverA:8780/
sec-ch-ua<=>"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
sec-ch-ua-mobile<=>?0
sec-ch-ua-platform<=>"Windows"
sec-fetch-dest<=>empty
sec-fetch-mode<=>cors
sec-fetch-site<=>cross-site
x-b3-flags<=>0
x-b3-parentspanid<=>5b4839cd01e98d27
x-b3-sampled<=>true
x-b3-spanid<=>1e2966464c9de98d
x-b3-traceid<=>5ebea177a90c149f985d142fd4065369
x-forwarded-for<=>10.19.48.61
x-forwarded-host<=>serverB:7012
x-forwarded-port<=>7012
x-forwarded-proto<=>https
x-forwarded-server<=>serverB
x-real-ip<=>x.x.x.x // clientHostIp

From chrome I have :

  • Request header :
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://serverA:8780
Access-Control-Expose-Headers:Content-type, Authorization
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:150
Content-Type:application/json;charset=UTF-8
Date:Tue, 18 Jul 2023 12:04:08 GMT
Expires:0
Pragma:no-cache
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
Vary:Access-Control-Request-Headers
Vary:Access-Control-Request-Method
Vary:Origin
Www-Authenticate:Negotiate
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Xss-Protection:1; mode=block
  • Response header :
:Authority:serverB:7012
:Method:GET
:Path:/Auth/security/login
:Scheme:https
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,ar;q=0.6
Cache-Control:no-cache
Expires:Sat, 01 Jan 2000 00:00:00 GMT
Origin:https://serverA:8780
Pragma:no-cache
Referer:https://serverA:8780/
Sec-Ch-Ua:"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile:?0
Sec-Ch-Ua-Platform:"Windows"
Sec-Fetch-Dest:empty
Sec-Fetch-Mode:cors
Sec-Fetch-Site:cross-site
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

My toml file :

logLevel = "DEBUG"

[traefikLog]
  filePath = "/xxx/binaries/traefik/logs/traefik.log" 

[accessLog]
  filePath = "/xxx/binaries/traefik/logs/access.log"

defaultEntryPoints = ["http"]


[entryPoints]
  [entryPoints.http]
    address = ":7012"
    [entryPoints.http.tls]
      [[entryPoints.http.tls.certificates]]
      certFile = "path-to-crt-file/traefik.crt"
      keyFile = "path-to-key-file/traefik.key"
  [entryPoints.admin]
    address = "serverB:8081"
    [entryPoints.admin.auth]
     [entryPoints.admin.auth.basic]
       users = ["admin:{SHA}0y9IVHbX4ddz5zd4z5I="]
  [entryPoints.ping]
    address = "serverB:8082"

[api]
  entrypoint="admin"
  [api.statistics]
    RecentErrors = 10
[ping]
  entryPoint = "ping"

[consulCatalog]
  endpoint = "xx.xx.xx.xx:8500"
  watch = true
  prefix = "traefik" 

[tracing]
  backend = "zipkin"
  serviceName = "traefik"
  [tracing.zipkin]
    httpEndpoint = "http://server:9411/api/v1/spans"
    debug = false

Also, I have this error in the Auth service logs:

>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Mon Jul 17 17:29:45 CEST 2023 1689607785000
     suSec is 379445
     error code is 25
     error Message is Additional pre-authentication required
     sname is krbtgt/xxx@xx
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

Authentication is still working fine when I call the service directly without passing by Traefik

Should I use forwardAuth or there are some things messing with Traefik config?

Thank you for your help and time.

security kerberos traefik traefik-ingress traefik-authentication
Original Q&A
0

There are 0 best solutions below

Related Questions in SECURITY

Related Questions in KERBEROS

Related Questions in TRAEFIK

Related Questions in TRAEFIK-INGRESS

Related Questions in TRAEFIK-AUTHENTICATION

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.