[Bug] Usage of SECURE_CONNECTION with a reverse proxy leads to 307 infinite redirect

[Quadrubo]

Current Behavior

I am trying to use the WEB_AUTHENTICATION functionality. To do that I have to enable SECURE_CONNECTION.
As I'm using traefik as my reverse proxy which automatically provides a valid certificate, doing this doesn't make sense for me as this forces the use of self-signed certificates.

When now trying to access the application via the proxy, I'm getting infinite HTTP 307 redirects to the same page.
This is not the case when setting the SECURE_CONNECTION=0 variable.

Expected Behavior

Be able to use the web authentication functionality by providing certificates through a reverse proxy.

Steps To Reproduce

1. Setup the container with the following env variables:

      - SECURE_CONNECTION=1
      - WEB_AUTHENTICATION=1
      - WEB_AUTHENTICATION_USERNAME=user
      - WEB_AUTHENTICATION_PASSWORD=password
      - CONTAINER_DEBUG=1

2. Setup a reverse proxy for the container:

- "traefik.http.routers.firefox.rule=Host(`firefox.example.com`)"
- "traefik.http.services.firefox.loadbalancer.server.port=5800"
- "traefik.http.routers.firefox.service=firefox"
- "traefik.http.routers.firefox.entrypoints=websecure"
- "traefik.http.routers.firefox.tls.certresolver=myresolver"

Environment

No response

Container creation

firefox:
    image: jlesage/firefox:latest
    container_name: firefox
    environment:
      - SECURE_CONNECTION=0
      - WEB_AUTHENTICATION=1
      - WEB_AUTHENTICATION_USERNAME=user
      - WEB_AUTHENTICATION_PASSWORD=password
      - CONTAINER_DEBUG=1
    volumes:
      - /mnt/storage/containers/firefox/config:/config
    # ports:
    #   - 5800:5800
    restart: unless-stopped

Container log

No specific output in the container log.
This is the nginx access log instead:


...
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
172.18.96.3 - - [16/Nov/2024:21:58:42 +0000] "GET / HTTP/1.1" 307 164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.5.81"
...

### Container inspect

_No response_

### Anything else?

_No response_

[zuilintan]

的确有这个问题

[jlesage]

As I'm using traefik as my reverse proxy which automatically provides a valid certificate, doing this doesn't make sense for me as this forces the use of self-signed certificates.

The reverse proxy exposes valid certificate to the user. This is not related to the connection used between the reverse proxy and the container, where a self-signed certificate can be used without problem.

When now trying to access the application via the proxy, I'm getting infinite HTTP 307 redirects to the same page.

Reverse proxy with nginx works without issue, so I guess there is a configuration issue with Traefik. I'm not an expert with this reverse proxy, but can ou try to add the following label:

traefik.http.services.firefox.loadbalancer.server.scheme=https

[Quadrubo]

Using

traefik.http.services.firefox.loadbalancer.server.scheme=https

made the server reachable again but I still get an Internal server error as your certificate is not valid.
Can you please provide a way to enable the WEB_AUTHENTICATION option without needing to enable SECURE_CONNECTION.

Just ignoring the certificate validity is not really an option for me.

[jlesage]

Just ignoring the certificate validity is not really an option for me.

Why ?

Web authentication without a secure connection is not a good idea, because we don't want to pass credentials in clear over the network.

[Quadrubo]

I still think in a scenario I am in it is fine and you should provide a way, for example a variable to allow it.

1. The port of the container is not exposed.
2. The service communicates through http only with the reverse proxy and the connection between the browser and the reverse proxy is encrypted.
3. The communication between the reverse proxy and the container is http but is only running through an internal docker network.

Ignoring the certificate validity is not an option as traefik does not provide an easy way to do it, there only seems to be a global setting that I don't want to activate for obvious reasons.

[jlesage]

Ignoring the certificate validity is not an option as traefik does not provide an easy way to do it, there only seems to be a global setting that I don't want to activate for obvious reasons.

According to the following link, you can create a serversTransport and assign it to your service.

https://community.traefik.io/t/https-reverse-proxy-to-https-service-do-i-need-new-certs/21142/4

[Quadrubo]

This has the issue of not being supported through the cli configuration so you can't use it with a single compose file without additional files. This could be a problem for users of hosting services where only a single compose file is allowed.

I have implemented it like this now and it's working so ty :)
You can close this issue if you want to as it is solved for me.

Instructions on how to solve:

1. Add a new volume to your docker compose file for traefik.

volumes:
      - "/path/to/config:/config"

2. Add a config file with the following content to /path/to/config/config.yml

http:
  serversTransports:
    firefox:
      insecureSkipVerify: true

3. Add the following configuration to your firefox container

labels:
      - "traefik.http.services.firefox.loadbalancer.serverstransport=firefox@file"

[dghassan98]

i'm having the same issues with caddy instead of traefik. any way to make the web authentication work with caddy?