Running behind reverse proxy gives wrong redirect URL

[maaroen]

Hello @revenz,

I'm trying to run Fenrus on my kubernetes cluster, with using OIDC authentication from Keycloak. But the redirect url that is being configured is http, instead of https which gives me certificate issues.

I'm running it behind a reverse proxy which does SSL termination for me.

Could you tell me if there is a way to configure this setup, or what I'm doing wrong?

With kind regards,

Maaroen

[maaroen]

The above image illustrates the issue, the Base URL I was able to manually edit from http to https, but the Redirect URL cannot be manually changed.

I think both Base URL and Redirect URL should have been using https, since I'm accessing Fenrus over a HTTPS url.

[revenz]

that redirect URL is computed from the request the server is getting. its just a hint really.
You dont have to use this, it just helps you set what the auth service requries. Just change it to https when configuring your auth server.

[pathwayx99]

Mmm. Not quite. Something weird is going on. I have the same issue, same setup as OP.

If I change the redirect URI to https://fenrus.domain.com/signin-oidc, I get:

While if I keep the http://fenrus.domain.com/signin-oidc the authentication works, but authentik warns me the credentials are going over cleartext:

Any ideas?

[maaroen]

Yes this is exactly what I'm running into aswell.

[rswafford1980]

agree. I tried to point this out several months ago and my issue was closed.

[revenz]

like I said its computed. Its what the request comes through as, so if you setup your reverse proxy to go to the HTTP protocol, then it will see the request coming from HTTP and give that.

Theres 2 ports you can configure

3000 == http
4000 == https

my portainer for fenrus

my nginx proxy manager to fenrus

[rswafford1980]

that does not work either. I mapped port 3001 to 4000, went to https://docker-ip:3001, and the page cannot be loaded. if I go to http://docker-ip:3000 it loads up with the initial config.

[maaroen]

I just created a PR for @revenz to review in which I have solved this issue:
#211

For those who would like to test it already before revenz checks the PR, feel free to pull this image:
git.nederlof.dev/maaroen/fenrus:latest

Please let me know if someone tests if if they run into any issues, I'm personally able to use Fenrus now with Keycloak as oauth authentication, behind a HAproxy doing SSL offloading, and a nginx reverse proxy, being my kubernetes ingress controller.

[revenz]

Another optoin is to set the enviromental variables

Name	Value
PORT	4000
PROTOCOL	https

I'm using it behind a reverse proxy, going through cloudflare, to nginx proxy manager, to fenrus, using googles oauth. without any additional changes. so there must be a simplier way, something that im just missing in the docs.

[maaroen]

Hello @revenz,

But aren't you hosting your app in https mode then? because I see you also install the dotnet dev cert in the final container.

I would like to run the app in http mode, since complete Ssl termination is done in my loadbalancer, all traffic afterwards, continues on port 80, so the app doesn't have to run in https mode, it just needs to use the correct X-Forward-X headers to correctly generate urls like for Auth.