Homebox creates and immediately clears auth cookie resulting in logout when connecting via https://domain using reverse proxy

[stamonty]

First Check

• This is not a feature request
• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• I can replicate the issue inside the Demo install.

Homebox Version

v0.17.2

What is the issue you are experiencing?

Homebox creates and immediately clears auth cookie resulting in logout after trying to view any internal page.
ERR ../go/src/app/internal/web/mid/errors.go:31 > ERROR occurred error="authorization header or query is required"

I use rootless image of Homebox

Many thanks.

How can the maintainer reproduce the issue?

1. Register a new account
2. Log in and try to view any page, locations, for example.

Deployment

Docker (Linux)

OS Architechture

x86_64 (AMD, Intel)

Deployment Details

Docker compose

services:
  homebox:
    container_name: homebox
    image: ghcr.io/sysadminsmedia/homebox:latest-rootless
    #pull_policy: never
    volumes:
      - data:/data
    env_file:
      - .env
    ports:
      - 3100:7745
    restart: unless-stopped
volumes:
  data:

.env

HBOX_MODE=development
HBOX_LOG_LEVEL=debug
HBOX_LOG_FORMAT=text
HBOX_OPTIONS_ALLOW_REGISTRATION=false

Env in the Homebox container

/app $ printenv
HOSTNAME=fedf31a40838
HBOX_STORAGE_DATA=/data/
SHLVL=1
HOME=/home/nonroot
HBOX_MODE=development
HBOX_OPTIONS_ALLOW_REGISTRATION=false
TERM=xterm
HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_pragma=busy_timeout=2000&_pragma=journal_mode=WAL&_fk=1&_time_format=sqlite
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HBOX_LOG_LEVEL=debug
HBOX_LOG_FORMAT=text
PWD=/app

Version: v0.17.2 ~ Build: 44bdca8

Please let me know if you need any additional info

[katosdev]

Please format your docker-compose.yml as a multiline code.
It doesn't look like the environment variable has been set.

[stamonty]

Formatting fixed. Env vars passing - resolved. I've update the issue. Auth cookie problem still present.

[katosdev]

Formatting fixed. Env vars passing - resolved. I've update the issue. Auth cookie problem still present.

I cannot seem to replicate the auth cookie myself either on demo, dev, nightly, my own Homebox instance or a fresh instance locally, I’m afraid…

Can I get some more details about your current setup to try and narrow this down for you please? Presumably you’ve tried in private etc to rule out a cache issue?

[stamonty]

Presumably you’ve tried in private etc to rule out a cache issue

For sure, I've tried private tab as well.
Deploying Homebox stack via Komodo- https://komo.do (Looks unrelated)

In the dev console Application->Storage->Cookies I can literally see Auth cookie been set and immediately unset.

Ok, I've tried to connect without reverse proxy (http://ip) and auth worked as expected. What headers should be passed through?

Anyway that is a bit wired because auth works with https (https://domain) and reverse proxy, just self unsets. Maybe some CORS/Origin check in the code?

Just for the sake of clarity I should mention that with software like Jellyfin, Immich and the same reverse proxy auth via https://domain works as expected that's why I haven't thought about reverse proxy factor at the first place. Hope my findings help with debugging.

[stamonty]

Just in case I've enabled X-Real-IP and X-Forwarded-For but nothing changed. Anything else I can help with in terms of information gathering/testing?

[tankerkiller125]

The main header used for Authentication is the Authentication: header. If it's not getting passed to the backend API it's going to break things.

[stamonty]

As I mentioned before, auth.token preserves on the client side only when accessing directly via http://ip. If accessing via https://domain, application unset (delete) auth.token from the client right after successful authorization.

It looks like Homebox has some kind of origin check preventing frontend to preserve the auth.token after the first successful auth attempt. Maybe it could be configured somehow (via Env variable, for example)?

[stamonty]

If I manually set auth.token cookies obtained from http://ip session in Firefox dev console I am able to login to Homebox and further work with it via https://domain/.

Ok, I've played around with dev console a bit more:

Cookie “hb.auth.remember” has been rejected for invalid domain. login
Cookie “hb.auth.token” has been rejected for invalid domain. login
Cookie “hb.auth.session” has been rejected for invalid domain. login
Cookie “hb.auth.remember” has been rejected for invalid domain. login
Cookie “hb.auth.token” has been rejected for invalid domain. login
Cookie “hb.auth.session” has been rejected for invalid domain.

From this error it is unclear which domain Homebox considers as valid.

So the question is how to set my domain name for the Homebox. Is it possible to add my domain setting via Env var? If not, is it possible to implement such a thing (shouldn't be complicated)?

[stamonty]

Anything else I could help with? Please let me know. I assume the issue might be relevant for other users who willing to setup Homebox with https and reverse proxy.

[katosdev]

What reverse proxy are you using please?
not seeing the issue with Cloudflare tunnels and supporting reverse proxy is going to be difficult without knowing more about your configuration and setup to be honest :-)

[cositech]

I have the same problem with the hb.auth.token cookie. I use Bunkerweb (1.5.12) as a reverse proxy. Attached is a screenshot of the Firefox developer console showing the cookies.

[tankerkiller125]

I've attempted to replicate this with Nginx, Caddy, Apache and Traefik and I'm unable to do so. Without configuration details of the reverse proxy I don't think we'll be able to properly diagnose this issue.

[cositech]

Here is a excerpt from the bunkerweb (nginx config):

server {
        # server name (vhost)
        server_name homebox.domain.example;

        # HTTP listen

        listen 0.0.0.0:80;

        index index.php index.html index.htm;

        # custom config
        include /etc/bunkerweb/configs/server-http/*.conf;

        include /etc/bunkerweb/configs/server-http/homebox.domain.example/*.conf;

        # variables
        set $reason '';
        set $reason_data '';
        set $ctx_ref '';

        # include config files
        include /etc/nginx/homebox.domain.example/server-http/*.conf;

        proxy_ssl_server_name off;
        proxy_intercept_errors on;

        location / {
                etag off;
                set $backend115 "http://1.2.3.4:7745";
                proxy_pass $backend115;
                proxy_set_header Host "homebox.domain.example";
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host "homebox.domain.example";

                proxy_set_header X-Forwarded-Prefix "/";

                proxy_buffering on;

                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;

                # include LUA files
                include /etc/nginx/homebox.domain.example/set-lua.conf;
                include /etc/nginx/homebox.domain.example/ssl-certificate-lua.conf;
                include /etc/nginx/homebox.domain.example/access-lua.conf;
                include /etc/nginx/homebox.domain.example/header-lua.conf;
                include /etc/nginx/homebox.domain.example/log-lua.conf;
                proxy_connect_timeout 60s;
                proxy_read_timeout 60s;
                proxy_send_timeout 60s;
        }
}

[stamonty]

Many thanks for the config listing! I've managed to figure it out just before I've seen your reply.
In order to make it work at least proxy_set_header Host "homebox.domain.example" and ProxyPreserveHost Off must be defined.

My reverse proxy is build in the router's firmware so it is a bit of a blackbox in terms of seen the whole config listing, but it has a couple of CLI options, setting host, X-Real-IP and X-Forwarded-For headers among them.

Would be glad if Homebox dev team could include such reverse proxy config example in the official docs. I believe it'll save many hours spent on debugging the issue.

Basically it is frontend configuration issue. I assume host should be configurable via ENV vars.