starred/godoxy-yusing
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-01-14 07:33:36 +01:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

The JWT authentication cannot be used normally with the sample configuration. #34

New Issue
Closed
opened 2025-12-29 14:22:48 +01:00 by adam · 9 comments
adam commented 2025-12-29 14:22:48 +01:00
Owner
Copy Link

Originally created by @JoJenH on GitHub (Feb 7, 2025).

Image
It looks like the cookie was only assigned at 127.0.0.1.I'm not good at Web development, so I didn't know what was wrong.

Originally created by @JoJenH on GitHub (Feb 7, 2025). ![Image](https://github.com/user-attachments/assets/8721c8ed-5dd6-4856-b5f0-74ad97a0041c) It looks like the cookie was only assigned at 127.0.0.1.I'm not good at Web development, so I didn't know what was wrong.
adam closed this issue 2025-12-29 14:22:48 +01:00
adam commented 2025-12-29 14:22:49 +01:00
Author
Owner
Copy Link

@yusing commented on GitHub (Feb 7, 2025):

This is because the frontend is trying to access API via "127.0.0.1:8888", and the NextJS rewrite function doesn't pass the "Host" field to the API.

But this should not cause any issue. When the "Domain" value in the cookie is invalid, it will be dropped, and then browser will set it to the current domain like "godoxy.domain.com".

You can simply ignore this error message. If this causes any issue, please let me know.

@yusing commented on GitHub (Feb 7, 2025): This is because the frontend is trying to access API via "127.0.0.1:8888", and the NextJS rewrite function doesn't pass the "Host" field to the API. But this should not cause any issue. When the "Domain" value in the cookie is invalid, it will be dropped, and then browser will set it to the current domain like "godoxy.domain.com". You can simply ignore this error message. If this causes any issue, please let me know.
adam commented 2025-12-29 14:22:49 +01:00
Author
Owner
Copy Link

@JoJenH commented on GitHub (Feb 7, 2025):

Thank you. After a proper login, the server returns the correct set-cookie, but the frontend does not store it, resulting in a redirect to the login page. I will check again and if there is a problem, I will give feedback again.

@JoJenH commented on GitHub (Feb 7, 2025): Thank you. After a proper login, the server returns the correct set-cookie, but the frontend does not store it, resulting in a redirect to the login page. I will check again and if there is a problem, I will give feedback again.
adam commented 2025-12-29 14:22:49 +01:00
Author
Owner
Copy Link

@yusing commented on GitHub (Feb 7, 2025):

Could you remove everything and do setup again? Also please DM me the .env on Discord to see if you have set anything wrong.

@yusing commented on GitHub (Feb 7, 2025): Could you remove everything and do setup again? Also please DM me the `.env` on Discord to see if you have set anything wrong.
adam commented 2025-12-29 14:22:50 +01:00
Author
Owner
Copy Link

@JoJenH commented on GitHub (Feb 7, 2025):

The .env file:

# set timezone to get correct log timestamp
TZ=ETC/UTC

# API/WebUI user password login credentials (optional)
# These fields are not required for OIDC authentication
GODOXY_API_USER=admin
GODOXY_API_PASSWORD=password
# generate secret with `openssl rand -base64 32`
GODOXY_API_JWT_SECRET=ZXl6tP4a9JeFK+eZZzzVlpYhIPjiBE16EyZepwyZDKA=
# the JWT token time-to-live
GODOXY_API_JWT_TOKEN_TTL=1h

# OIDC Configuration (optional)
# Uncomment and configure these values to enable OIDC authentication.
# GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
# GODOXY_OIDC_CLIENT_ID=your-client-id
# GODOXY_OIDC_CLIENT_SECRET=your-client-secret
# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
# Comma-separated list of scopes
# GODOXY_OIDC_SCOPES=openid, profile, email
#
# User definitions: Uncomment and configure these values to restrict access to specific users or groups.
# These two fields act as a logical AND operator. For example, given the following membership:
#   user1, group1
#   user2, group1
#   user3, group2
#   user1, group2
# You can allow access to user3 AND all users of group1 by providing:
#   # GODOXY_OIDC_ALLOWED_USERS=user3
#   # GODOXY_OIDC_ALLOWED_GROUPS=group1
#
# Comma-separated list of allowed users.
# GODOXY_OIDC_ALLOWED_USERS=user1,user2
# Optional: Comma-separated list of allowed groups.
# GODOXY_OIDC_ALLOWED_GROUPS=group1,group2

# Proxy listening address
GODOXY_HTTP_ADDR=:80
GODOXY_HTTPS_ADDR=:443

# API listening address
GODOXY_API_ADDR=127.0.0.1:8888

# Prometheus Metrics
GODOXY_PROMETHEUS_ENABLED=true

# Debug mode
GODOXY_DEBUG=false

The config.yml file:

# Autocert (choose one below and uncomment to enable)
#
# 1. use existing cert

# autocert:
#   provider: local

# 2. cloudflare
# autocert:
#   provider: cloudflare
#   email: abc@gmail.com # ACME Email
#   domains: # a list of domains for cert registration
#     - "*.domain.com"
#     - "domain.com"
#   options:
#     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token

# 3. other providers, see https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers

entrypoint:
  # Below define an example of middleware config
  # 1. block non local IP connections
  # 2. redirect HTTP to HTTPS
  #
  # middlewares:
  #   - use: CIDRWhitelist
  #     allow:
  #       - "127.0.0.1"
  #       - "10.0.0.0/8"
  #       - "172.16.0.0/12"
  #       - "192.168.0.0/16"
  #     status: 403
  #     message: "Forbidden"
  #   - use: RedirectHTTP

  # below enables access log
  access_log:
    format: combined
    path: /app/logs/entrypoint.log

providers:
  # include files are standalone yaml files under `config/` directory
  #
  # include:
  #   - file1.yml
  #   - file2.yml

  docker:
    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
    local: $DOCKER_HOST

    # explicit only mode
    # only containers with explicit aliases will be proxied
    # add "!" after provider name to enable explicit only mode
    #
    # local!: $DOCKER_HOST
    #
    # add more docker providers if needed
    # for value format, see https://docs.docker.com/reference/cli/dockerd/
    #
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2

  # notification providers (notify when service health changes)
  #
  # notification:
  #   - name: gotify
  #     provider: gotify
  #     url: https://gotify.domain.tld
  #     token: abcd
  #   - name: discord
  #     provider: webhook
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json

# Check https://github.com/yusing/go-proxy/wiki/Certificates-and-domain-matching#domain-matching
# for explaination of `match_domains`
#
# match_domains:
#   - my.site
#   - node1.my.app

# homepage config
homepage:
  # use default app categories detected from alias or docker image name
  use_default_categories: true

# Below are fixed options (non hot-reloadable)

# timeout for shutdown (in seconds)
timeout_shutdown: 5

The docker-compose.yaml file:

---
services:
  frontend:
    image: ghcr.io/yusing/go-proxy-frontend:latest
    container_name: godoxy-frontend
    restart: unless-stopped
    network_mode: host
    env_file: .env
    depends_on:
      - app
    # modify below to fit your needs
    labels:
      proxy.aliases: godoxy
      proxy.godoxy.port: 3000
      # proxy.godoxy.middlewares.cidr_whitelist: |
      #   status: 403
      #   message: IP not allowed
      #   allow:
      #     - 127.0.0.1
      #     - 10.0.0.0/8
      #     - 192.168.0.0/16
      #     - 172.16.0.0/12
  app:
    image: ghcr.io/yusing/go-proxy:latest
    container_name: godoxy
    restart: always
    network_mode: host
    env_file: .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config
      - ./logs:/app/logs
      # - ./error_pages:/app/error_pages

      # To use autocert, certs will be stored in "./certs".
      # You can also use a docker volume to store it
      - ./certs:/app/certs

      # remove "./certs:/app/certs" and uncomment below to use existing certificate
      # - /path/to/certs/cert.crt:/app/certs/cert.crt
      # - /path/to/certs/priv.key:/app/certs/priv.key

Server returns a cookie:

Image
But client does not store it and send it to server in check request:

Image
So I get a 401 status code, and return to login page.

@JoJenH commented on GitHub (Feb 7, 2025): The `.env` file: ``` # set timezone to get correct log timestamp TZ=ETC/UTC # API/WebUI user password login credentials (optional) # These fields are not required for OIDC authentication GODOXY_API_USER=admin GODOXY_API_PASSWORD=password # generate secret with `openssl rand -base64 32` GODOXY_API_JWT_SECRET=ZXl6tP4a9JeFK+eZZzzVlpYhIPjiBE16EyZepwyZDKA= # the JWT token time-to-live GODOXY_API_JWT_TOKEN_TTL=1h # OIDC Configuration (optional) # Uncomment and configure these values to enable OIDC authentication. # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com # GODOXY_OIDC_CLIENT_ID=your-client-id # GODOXY_OIDC_CLIENT_SECRET=your-client-secret # Keep /api/auth/callback as the redirect URL, change the domain to match your setup. # GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback # Comma-separated list of scopes # GODOXY_OIDC_SCOPES=openid, profile, email # # User definitions: Uncomment and configure these values to restrict access to specific users or groups. # These two fields act as a logical AND operator. For example, given the following membership: # user1, group1 # user2, group1 # user3, group2 # user1, group2 # You can allow access to user3 AND all users of group1 by providing: # # GODOXY_OIDC_ALLOWED_USERS=user3 # # GODOXY_OIDC_ALLOWED_GROUPS=group1 # # Comma-separated list of allowed users. # GODOXY_OIDC_ALLOWED_USERS=user1,user2 # Optional: Comma-separated list of allowed groups. # GODOXY_OIDC_ALLOWED_GROUPS=group1,group2 # Proxy listening address GODOXY_HTTP_ADDR=:80 GODOXY_HTTPS_ADDR=:443 # API listening address GODOXY_API_ADDR=127.0.0.1:8888 # Prometheus Metrics GODOXY_PROMETHEUS_ENABLED=true # Debug mode GODOXY_DEBUG=false ``` The `config.yml` file: ```yml # Autocert (choose one below and uncomment to enable) # # 1. use existing cert # autocert: # provider: local # 2. cloudflare # autocert: # provider: cloudflare # email: abc@gmail.com # ACME Email # domains: # a list of domains for cert registration # - "*.domain.com" # - "domain.com" # options: # auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token # 3. other providers, see https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers entrypoint: # Below define an example of middleware config # 1. block non local IP connections # 2. redirect HTTP to HTTPS # # middlewares: # - use: CIDRWhitelist # allow: # - "127.0.0.1" # - "10.0.0.0/8" # - "172.16.0.0/12" # - "192.168.0.0/16" # status: 403 # message: "Forbidden" # - use: RedirectHTTP # below enables access log access_log: format: combined path: /app/logs/entrypoint.log providers: # include files are standalone yaml files under `config/` directory # # include: # - file1.yml # - file2.yml docker: # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default local: $DOCKER_HOST # explicit only mode # only containers with explicit aliases will be proxied # add "!" after provider name to enable explicit only mode # # local!: $DOCKER_HOST # # add more docker providers if needed # for value format, see https://docs.docker.com/reference/cli/dockerd/ # # remote-1: tcp://10.0.2.1:2375 # remote-2: ssh://root:1234@10.0.2.2 # notification providers (notify when service health changes) # # notification: # - name: gotify # provider: gotify # url: https://gotify.domain.tld # token: abcd # - name: discord # provider: webhook # url: https://discord.com/api/webhooks/... # template: discord # this means use payload template from internal/notif/templates/discord.json # Check https://github.com/yusing/go-proxy/wiki/Certificates-and-domain-matching#domain-matching # for explaination of `match_domains` # # match_domains: # - my.site # - node1.my.app # homepage config homepage: # use default app categories detected from alias or docker image name use_default_categories: true # Below are fixed options (non hot-reloadable) # timeout for shutdown (in seconds) timeout_shutdown: 5 ``` The `docker-compose.yaml` file: ```yaml --- services: frontend: image: ghcr.io/yusing/go-proxy-frontend:latest container_name: godoxy-frontend restart: unless-stopped network_mode: host env_file: .env depends_on: - app # modify below to fit your needs labels: proxy.aliases: godoxy proxy.godoxy.port: 3000 # proxy.godoxy.middlewares.cidr_whitelist: | # status: 403 # message: IP not allowed # allow: # - 127.0.0.1 # - 10.0.0.0/8 # - 192.168.0.0/16 # - 172.16.0.0/12 app: image: ghcr.io/yusing/go-proxy:latest container_name: godoxy restart: always network_mode: host env_file: .env volumes: - /var/run/docker.sock:/var/run/docker.sock - ./config:/app/config - ./logs:/app/logs # - ./error_pages:/app/error_pages # To use autocert, certs will be stored in "./certs". # You can also use a docker volume to store it - ./certs:/app/certs # remove "./certs:/app/certs" and uncomment below to use existing certificate # - /path/to/certs/cert.crt:/app/certs/cert.crt # - /path/to/certs/priv.key:/app/certs/priv.key ``` Server returns a cookie: ![Image](https://github.com/user-attachments/assets/656d9e6a-447e-43f9-bfb4-daea6b5c0d26) But client does not store it and send it to server in check request: ![Image](https://github.com/user-attachments/assets/a930db84-49f3-4a7d-b1a1-5c3241f665f6) So I get a 401 status code, and return to login page.
adam commented 2025-12-29 14:22:50 +01:00
Author
Owner
Copy Link

@yusing commented on GitHub (Feb 7, 2025):

Check if there is a token cookie in Storage > Cookies?

@yusing commented on GitHub (Feb 7, 2025): Check if there is a token cookie in Storage > Cookies?
adam commented 2025-12-29 14:22:50 +01:00
Author
Owner
Copy Link

@JoJenH commented on GitHub (Feb 7, 2025):

No.

@JoJenH commented on GitHub (Feb 7, 2025): No.
adam commented 2025-12-29 14:22:50 +01:00
Author
Owner
Copy Link

@JoJenH commented on GitHub (Feb 7, 2025):

Edge, Google Chrome and FireFox.

@JoJenH commented on GitHub (Feb 7, 2025): Edge, Google Chrome and FireFox.
adam commented 2025-12-29 14:22:51 +01:00
Author
Owner
Copy Link

@yusing commented on GitHub (Feb 7, 2025):

I see the issue, as said in the Wiki, authentication only works in HTTPs. set-cookie have "Secure: true" property for security measure.

@yusing commented on GitHub (Feb 7, 2025): I see the issue, as said in the Wiki, authentication only works in HTTPs. set-cookie have "Secure: true" property for security measure.
adam commented 2025-12-29 14:22:51 +01:00
Author
Owner
Copy Link

@JoJenH commented on GitHub (Feb 7, 2025):

Thanks. My mistake.

@JoJenH commented on GitHub (Feb 7, 2025): Thanks. My mistake.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
pull-request
Mirrored from GitHub Pull Request
 wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/godoxy-yusing#34
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?