Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic auth credentials are omitted on api requests #584

Open
jansauer opened this issue Jun 9, 2019 · 1 comment
Open

Basic auth credentials are omitted on api requests #584

jansauer opened this issue Jun 9, 2019 · 1 comment

Comments

@jansauer
Copy link

jansauer commented Jun 9, 2019

It is possible to setup a context with a api url that contains authentication credentials for basic auth but when the cli does request to the api they get omitted.

Steps to reproduce:

  1. Generate some
$ htpasswd -nbBC 8 fn mysecretpassword
fn:$2y$08$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2
  1. Start a local fn instance with a proxy in front of it that does the basic authentication via docker. Replace the hostname with your own!
$ docker network create fn
$ docker run -d --rm \
  --name fn \
  --privileged \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --network fn \
  --label traefik.enable=true \
  --label traefik.port=8080 \
  --label traefik.frontend.rule=Host:MacBook-Pro-2.fritz.box \
  --label traefik.frontend.auth.basic.users=fn:\$2y\$08\$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2 \
  fnproject/fnserver:0.3.707
$ docker run -d --rm \
  --name traefik \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --network fn \
  --publish 80:80 \
  --publish 8080:8080 \
  traefik:v1.7.12-alpine \
    --entryPoints='Name:http Address::80' \
    --defaultentrypoints='http' \
    --docker \
    --docker.domain=MacBook-Pro-2.fritz.box \
    --docker.exposedbydefault=false \
    --loglevel=INFO

Traefik is a cloud native reverse proxy / load-balancer. In this setup traefik searches docker for running containers and routes traffic based on labels it finds on the containers.

  1. Check that the fn api is up and requires basic authentication.
$ curl MacBook-Pro-2.fritz.box/v2/apps
401 Unauthorized
$ curl fn:[email protected]/v2/apps
{"items":[]}%
  1. Setup a context with the fn cli
$ fn create context --api-url "http://fn:[email protected]" auth
Successfully created context: auth
$ fn use ctx auth
Now using context: auth
$ fn list contexts
CURRENT	NAME	PROVIDER	API URL							REGISTRY
*	auth	default		http://fn:[email protected]
	default	default		http://localhost:8080
  1. Query something
$ fn list apps

Fn: &{ } (*modelsv2.Error) is not supported by the TextConsumer, can be resolved by supporting TextUnmarshaler interface

See 'fn <command> --help' for more information. Client version: 0.5.81

Unfortunately this error message is not really user friendly / understandable. But it is possible to use the traefik Total Status Code Count at http://localhost:8080/dashboard/status to see that the proxy responded with 401 Unauthorized.
I also used a http debug proxy (charles) to verify that the a authorization header is missing on the requests to the backend.

Expected behaviour

  1. A better error message in cases where api calls do not succeed.
  2. If it is possible to setup an api url with basic auth credentials i expect them to be used for request. Or at least not be able the successfully configure a api url with credentials
@WeiTangLau
Copy link

2 years later, I am facing this problem. Hopefully this will get supported soon.

Reason being I have multiple dashboards (traefik included), each using basic auth middleware. As such it is useful to get the 401 metrics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jansauer @WeiTangLau