0
Not a bug

Login Issue: Traefik v2

f79394325 11 months ago updated 11 months ago 9

Hi

Saw FileRun post @ reddit and decided to give it a go. Seems sleek and fast but I completely stuck somehow... When I enter user / password, error message pops up. Then I reload the page and system logs me in. Everything works, it's just annoying login issue as well as cannot access Account Settings (see attached screenshots). I have already checked “session.save_path” - it works as indented as far as I can see from within the container.

root@745e7eb8c77a:/var/www/html# cat /tmp/sess_69991657f2becdbc372a85074ef39e7f
test|i:1639932597;FileRun|a:4:{s:13:"session_start";i:1639932597;s:8:"username";s:9:"superuser";s:12:"last_request";i:1639932642;s:10:"csrf_token";s:64:"8003ad213f59b347fbdb32542fff4c4c73ceff5b260145eb81905b1fd8a51bf4";}root@745e7eb8c77a:/var/www/html


Screenshot_20211219_171329.png
Screenshot_20211219_171409.png

Anybody has working Traefik docker-compose example please? This is what I am using now.

version: '2'

services:
db:
image: mariadb:10.1
environment:
MYSQL_ROOT_PASSWORD: "xxx"
MYSQL_USER: filerun
MYSQL_PASSWORD: "xxx"
MYSQL_DATABASE: filerun_db
volumes:
- ./db:/var/lib/mysql
networks:
- int

web:
image: filerun/filerun
environment:
FR_DB_HOST: db
FR_DB_PORT: 3306
FR_DB_NAME: filerun_db
FR_DB_USER: filerun
FR_DB_PASS: "xxx"
APACHE_RUN_USER: www-data
APACHE_RUN_USER_ID: 33
APACHE_RUN_GROUP: www-data
APACHE_RUN_GROUP_ID: 33
depends_on:
- db
links:
- db:db
# ports:
# - "80:80"
volumes:
- ./html:/var/www/html
- ./user-files:/user-files
labels:
- traefik.enable=true
- traefik.http.routers.filerun.entrypoints=http
- traefik.http.routers.filerun.rule=Host(`fr.xxx.xx`)
- traefik.http.routers.filerun-secure.middlewares=securedheaders@docker
- traefik.http.routers.filerun-secure.entrypoints=https
- traefik.http.routers.filerun-secure.rule=Host(`fr.xxx.xx`)
- traefik.http.routers.filerun-secure.tls=true
- traefik.http.routers.filerun-secure.tls.certresolver=le
- traefik.http.routers.filerun-secure.service=filerun
- traefik.http.services.filerun.loadbalancer.server.port=80
- traefik.docker.network=proxy
networks:
- proxy
- int

networks:
proxy:
external: true
int:
internal: true

Thank you,

Fred

Answer

Answer
Not a bug

Seems to be one more HTTP header added from somewhere, because the login doesn't work for this reason:

Refused to display '[...]' in a frame because it set 'X-Frame-Options' to 'deny'.

That header means that FileRun cannot load anything in a frame, not even itself.

Fixing this will fix both original problems.

Under review

Usually this kind of problems are caused by browser extensions that inject anything inside the HTML code of webpages.

That would explain the crash of the popup, that shouldn't happen regardless of what the web page does and it is indicative of a browser problem.

Please check, or try with another browser, and let me know. If it's not it, I will help you troubleshoot more.

Thanks for quick reply, Vlad. I have just created new user profile with all default settings and no extensions in Firefox 95.0.1 - getting same error. Also tried Brave 1.33.106 and Chromium 90.0.4430.85

No errors trying the demo

I'm going to try your setup above soon.

Demo works well in all those browsers I mentioned. Of course I am trying to selfhost Free edition, not the Enterprise as in demo. This makes me think that my traefik config is missing something. This is strange since I run 10+ services using similar docker-compose / traefik labels template, including nextcloud. Everything works as expected.

If you can share a test login, please send with URL using the contact form: https://filerun.com/contact I would be curious to see what are the actual HTTP responses from the server.

I didn't had time today to set a test machine up like with your example, but I'll try tomorrow.

Vlad, I have sent you test credentials as requested. Below is the output of traefik/whoami debug container with the same traefik setting. I hope this helps.


Hostname: 
IP: 
IP: 
RemoteAddr: 
GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.19.0.1
X-Forwarded-Host: 
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 
X-Real-Ip: 

Perhaps the labels I use for Filerun with Caddy Docker Proxy (https://github.com/lucaslorentz/caddy-docker-proxy) might be of help for you to decide if you are missing anything in your traefik labels. I switched from Traefik to this Caddy solution for simplicity:

    labels:
      # Required for HTTPS reverse proxy
      caddy: files.$DOMAIN
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.reverse_proxy.header_up: "Host files.$DOMAIN"
      # Required extra headers for fileservers
      caddy.file_server: ""                                         # required for fileservers
      caddy.encode: gzip                                            # required for fileservers
      # Optional headers for added security or compatibility issues with OnlyOffice container
      caddy.header.Strict-Transport-Security: '"max-age=15768000;"' # Recommended security hardening for fileservers
      caddy.header.X-XSS-Protection: '"1; mode=block;"'             # Recommended security hardening for fileservers
      caddy.header.X-Content-Type-Options: "nosniff"                # Seems required to open files in OnlyOffice
      caddy.header.X-Frame-Options: "SAMEORIGIN"                    # Seems required to open files in OnlyOffice

I am running FileRun since June uninterrupted this way. Note I have not yet updated to the latest version. 

Answer
Not a bug

Seems to be one more HTTP header added from somewhere, because the login doesn't work for this reason:

Refused to display '[...]' in a frame because it set 'X-Frame-Options' to 'deny'.

That header means that FileRun cannot load anything in a frame, not even itself.

Fixing this will fix both original problems.

Thanks a lot for your help, Vlad. It appears I hardened my traefik too far. Had to change Traefik container config itself as per below and now it works great! Thanks again.

before

- traefik.http.middlewares.securedheaders.headers.framedeny=true


after

- traefik.http.middlewares.securedheaders.headers.customFrameOptionsValue="SAMEORIGIN"