Issues with reverse proxy and serving from subdirectory. about glauth-ui HOT 5 OPEN

hehe i had not and stumbled upon this setting a few days ago. Didnt have time to test this yet tho. I will try this in the next few days and report back. If i cant get it to work i will gladly ask you for more support :)

from glauth-ui.

Are you setting APPLICATION_ROOT in flask?

from glauth-ui.

Also @sonicnkt feel free to ping me if you have a question like this, I have a fair bit of experience with python/flask and I'd like to support this project. Didn't see this issues until now though.

from glauth-ui.

Be aware that if you're trying to use cookie sub-domains (so you can use an example.com cookie on foo.example.com) it's not going to work on localhost based domains. I think a bunch of people would probably want to use this on localhost, so it's something to be aware of.

Traefik will proxy the glauth server instead of the forbidden server when using it's "Authentication Based on Subrequest Result" equivalent, there might be a way to set up nginx similarly. I'm a bit tied in to traefik for complicated reasons, but the forward_auth stuff I'm working on assumes that glauth is proxied instead of the app we want to authenticate for.

Or it could be that you're doing this for some entirely different reason that has nothing to do with cookie domains, in which case ignore all that.

from glauth-ui.

Finally figured this out...
And yeah this is completely unrelated to cookies and i just didn't want to serve the ui in the root of my domain but from a subdirectory.

Since we are using gunicorn for deployment this is completely configured outside of flask and no SERVER_NAME or APPLICATION_ROOT needs to be manually set if you have correct proxy forwarding working. You only have to tell gunicorn that it should serve this from a subdirectory/prefix.

To get this working add the SCRIPT_NAME environment variable to the docker-compose.yml, for example:

SCRIPT_NAME=/account

And configure your proxy like this (nginx):

server {
    listen 443 ssl http2;
    server_name subdomain.example.com;

    include /etc/nginx/ssl-stuff.conf; # SSL Certificates, keys etc

    add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options              SAMEORIGIN;
    add_header X-Content-Type-Options       nosniff;
    add_header X-XSS-Protection             "1; mode=block";

    ... your other locations ...
 
  location /account/ {
        proxy_pass http://127.0.0.1:3005/account/;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Port    $server_port;

        }
}

It is important that you also set the path/prefix in the proxy_pass setting.
After this everything works fine and you can access https://subdomain.example.com/account/, all generated urls are correct.

from glauth-ui.