nosduco / nforwardauth Goto Github PK

Simple and minimalist forward auth service intended for use with reverse proxies (Traefik, Caddy, nginx, etc)

License: MIT License

Dockerfile 6.51% CSS 5.03% HTML 6.65% JavaScript 13.81% Rust 65.76% Just 2.23%

authentication caddy docker docker-compose forwardauth kubernetes nginx proxy rust self-hosted traefik

nforwardauth's Introduction

👋 Hi, I'm Tony Duco (or nosduco)

🔭 I spend a lot of my time building, learning, and managing software! I’m currently working in the tech industry as a Staff Engineer with strong technical skills in Full-stack Web Development, DevOps, and Infrastructure. Keep a look out on my profile for my various personal projects (Vim plugins, Linux utilities, Website, etc)

⚡ My interests and motivations mainly live in linux, open source software, and high-scaling infrastructure.

🌱 I’m currently learning about scalable system designs, cloud platforms and frameworks (CloudFlare, Kubernetes, AWS), and constantly learning new programming languages and frameworks.

📝 Checkout my website and the beginnings of my blog at tonydu.co.

😄 My pronouns are: he/him

📫 If you want to reach me, I'd suggest either Email, Matrix, or Discord

nforwardauth's People

Contributors

Stargazers

Watchers

Forkers

bt90 otbutz shimaowo

nforwardauth's Issues

could you give an example with nginx?

[Suggestion] Adding LDAP Support

Maybe add LDAP Support in addition to the passwd file. You could use something like ldap3 and configure it with a configuration file.

mkpasswd command not found

Thanks for your work on this, looks great. Unfortunately I'm having trouble creating the passwd file because the mkpasswd command is not found when using the Synology DSM OS. Is there a way around this?

How is it any different than oauth2-proxy

oauth2-proxy has similar functionality
other than being written in rust(which would certainly make it faster) what are the benefits of using this?

Basic auth in URL not working with Caddy

Thanks for your work on this, everything is working great except I can't pass basic auth through the url to skip the login page.

For example, http://user:[email protected] just takes me to the login page without signing in.

I'm guessing its due to something I need to add to my Caddy config? I've provided my docker and caddy set up below.

Docker compose

services:
  nforwardauth:
    image: nosduco/nforwardauth:v1
    container_name: auth
    environment:
      - PUID=1026
      - PGID=1000
      - TZ=Country/City
      - TOKEN_SECRET=examplesecret
      - AUTH_HOST=auth.example.xyz
      - COOKIE_DOMAIN=example.xyz
      - PORT=3000
    volumes:
      - ./passwd/passwd.txt:/passwd:ro
    ports:
      - 3000:3000
    restart: unless-stopped

Caddyfile

auth.example.xyz {
	reverse_proxy http://127.0.0.1:3000
}

service.example.xyz {
	forward_auth http://127.0.0.1:3000 {
		uri /
	}
	reverse_proxy http://127.0.0.1:1111
}

Press 'enter' to submit

Just wondering if it would be possible to press 'enter' to submit the username and password instead of needing to click on the submit button with the mouse? Just an easier flow.

Location header should respect X-Forwarded-Proto

The redirect only alters the scheme of the service URL. The URL of nforwardauth itself is hardcoded to http://

Could we use the same scheme for both? e.g.

    let scheme = if headers.contains_key(FORWARDED_PROTO) && !headers[FORWARDED_PROTO].is_empty()
    {
        headers[FORWARDED_PROTO].to_str().unwrap()
    } else {
        "http"
    };

    // No valid cookie/jwt found, create redirect url and return
    let mut location =
        Url::parse(format!("{}://{}/login", scheme, &Config::global().auth_host).as_str())?;

/login ignores existing cookie

Opening or refreshing the /login page with an existing cookie shouldn't display the login form.

e.g https://auth.example.com/login?r=https://service.example.com should check the presence of the cookie and do an instant redirect.

Use case: opening multiple protected URLs. I only want to sign in once if my cookie expired and hit refresh for the other tabs.

Redirect does not work

Hi,

the redirect back after a successfull login does not work.

Error:

time="2023-04-21T12:21:29+02:00" level=debug msg="Remote error https://auth.mgrote.net. StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=nforwardauth@docker
time="2023-04-21T12:22:57+02:00" level=debug msg="Remote error https://auth.mgrote.net. StatusCode: 307" middlewareName=nforwardauth@docker middlewareType=ForwardedAuthType

following traefik configuration:

version: '3'
services:
######## traefik ########
  traefik:
    container_name: "traefik"
    image: traefik:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./file-provider.yml:/etc/traefik/file-provider.yml
      - acme_data:/etc/traefik/acme
    networks:
      - traefik
    ports:
      - "80:80" # HTTP
      - "8081:8080" # Web-GUI
      - "443:443" # HTTPS
      - "2222:2222" # SSH
    environment:
      TZ: Europe/Berlin
    labels:
      com.centurylinklabs.watchtower.enable: true
######## error-pages ########
# https://github.com/tarampampam/error-pages/wiki/Traefik-(docker-compose)
  error-pages:
    container_name: "traefik-error-pages"
    image: tarampampam/error-pages:2
    environment:
      TEMPLATE_NAME: ghost
    labels:
      com.centurylinklabs.watchtower.enable: true

      traefik.enable: true
      # use as "fallback" for any NON-registered services (with priority below normal)
      traefik.http.routers.error-pages-router.rule: HostRegexp(`{host:.+}`)
      traefik.http.routers.error-pages-router.priority: 10
      # should say that all of your services work on https
      traefik.http.routers.error-pages-router.entrypoints: entry_https
      traefik.http.routers.error-pages-router.middlewares: error-pages-middleware
      # "errors" middleware settings
      traefik.http.middlewares.error-pages-middleware.errors.status: 400-599
      traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service
      traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html
      # define service properties
      traefik.http.services.error-pages-service.loadbalancer.server.port: 8080
    depends_on:
      - traefik
    networks:
      - traefik

######## nforwardauth ########
# https://github.com/NOSDuco/nforwardauth
  nforwardauth:
    container_name: "traefik-nforwardauth"
    image: nosduco/nforwardauth:v1
    depends_on:
      - traefik
    networks:
      - traefik
    volumes:
      - ./passwd:/passwd:ro # Mount local passwd file at /passwd as ready only
    environment:
      TOKEN_SECRET: {{ lookup('keepass', 'traefik-nforwardauth-token-secret', 'password') }} # Secret to use when signing auth token
      AUTH_HOST: auth.mgrote.net
      COOKIE_DOMAIN: mgrote.net # Set domain for the cookies. This value will allow cookie and auth on *.yourdomain.com (including base domain)
      PORT: 3000 # Set specific port to listen on
    labels:
      com.centurylinklabs.watchtower.enable: true
      traefik.enable: true
      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
      traefik.http.middlewares.nforwardauth.forwardauth.address: https://auth.mgrote.net
      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
      traefik.http.routers.nforwardauth.tls: true
      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.nforwardauth.entrypoints: entry_https


######## Networks ########
networks:
  traefik:
    external: true

######## Volumes ########
volumes:
  acme_data:

and app

oci-registry-ui:
    restart: always
    # url: registry.mgrote.net/ui/index.html
    image: joxit/docker-registry-ui:latest
    container_name: oci-registry-ui
    environment:
      DELETE_IMAGES: true
      SINGLE_REGISTRY: true
      NGINX_PROXY_PASS_URL: http://oci-registry:5000
    networks:
      - traefik
      - intern
    labels:
      traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
      traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,error-pages-middleware,nforwardauth  # also entferne den Prefix danach wieder
      traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
      traefik.enable: true
      traefik.http.routers.registry-ui.tls: true
      traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.registry-ui.entrypoints: entry_https
      traefik.http.services.registry-ui.loadbalancer.server.port: 80

      com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
      com.centurylinklabs.watchtower.enable: true


######## Networks ########
networks:
  traefik:
    external: true
  intern:

Redirect sends HTML page

The initial redirect sends the whole login page with it:

Add an executable to git release

Would it be possible to add a release that is not using docker to build it and run it?

Prevent bruteforce attacks

Could you add a rate-limiter like https://crates.io/crates/governor/ to prevent bruteforce attacks?

The server should answer login attempts with HTTP 429 after hitting a limit.

Configurable SameSite cookie policy

While Strict sounds nice in theory, it has some caveats compared to Lax:

[Lax] Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link)

If CSRF attacks are not a high concern, Lax would be preferable as things like dashboard links would still work.

This is also the default for authelia: https://www.authelia.com/configuration/session/introduction/

Nginx configuration

How can I configure nginx to use nforwardauth with the ngx_http_auth_request_module?

Very minor: malicious behavior can cause panics of handler threads

This isn't realistically any kind of problem, but I thought I'd point it out anyway.

It is possible for an attacker to cause the handler thread for their connection to panic. Tokio etc handle this fine, and the server itself does not suffer, but it does spam the console/logs with typical rust panic messaging.

A common malicious attack with JWT cookies is to manually edit the signature field in the header to use "none" and to then remove the signature part, because some sites/libraries are poorly made and don't validate things.

The libraries in this project handle that fine. However, this unwrap() is hit when the relevant error is thrown, which causes the panic. It might be slightly nicer to catch that and just let the code continue as unauthorized.

But it's pretty unlikely anyone would ever legitimately trigger this, as only authed users see the cookie in the first place, and they obviously have no reason to manipulate it.