Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

400 Bad Request || too many forward_auth cookies in request #238

Open
dalanmiller opened this issue Feb 15, 2021 · 8 comments · May be fixed by #295
Open

400 Bad Request || too many forward_auth cookies in request #238

dalanmiller opened this issue Feb 15, 2021 · 8 comments · May be fixed by #295
Labels
under review

Comments

@dalanmiller
Copy link 

400 Bad Request

Request Header Or Cookie Too Large

A few of my containers get sad when the _foward_auth_csrf_* cookies reach a certain number and fail to respond until I clear the cookies for that domain.

I can't recall the issue with this I ran into before but wouldn't it make more sense to upsert the cookie in such a way that it updates if existing and creates if it doesn't exist?

Screen Shot 2021-02-16 at 09 28 09
@SuperSandro2000
Copy link
Contributor

Ran into this a while ago, too.

@SalmonSays
Copy link

Frequently running into this now after updating from v2 to v2.2, if anyone has pointers for fixing it I'd be hugely appreciative.

@thomseddon
Copy link
Owner

Hmm, the CSRF cookies should be cleared during the login or within an hour - can you post your full config?

@blankburian blankburian mentioned this issue Sep 23, 2021
Closed
@stevietv
Copy link

stevietv commented Dec 5, 2021

Is there any movement on this? I'm also having the error

@kevtainer
Copy link

hit this as well. a new csrf token is generated on every request that passes through the forward auth middleware, which per the author isn't of much concern, i'm guessing they're not being cleared though.

@orvice orvice linked a pull request Jan 14, 2022 that will close this issue
Open
@SteveMeskers SteveMeskers mentioned this issue Feb 10, 2022
Merged
@hagak
Copy link

hagak commented May 15, 2022

I am running into this issue as well.

@stuckj
Copy link

stuckj commented Feb 27, 2024

I'm hitting this issue as well. It's only affecting my nextcloud instance due to nginx having a smaller header/cookie limit than other services I have. Clearing cookies resolves it.

I know you asked for a config a while ago @thomseddon so here's mine. Domains, emails, client IDs, and secrets replaced with capital-lettered placeholders. This is just the oauth config stanza from a docker compose I use for traefik. I can provide more if you need it. This auth flow is used for about 27 different services (all in sub-domains)...not sure if that's what's leading to it (does each need it's own CSRF cookie or is it shared in the top-level domain?).

  oauth:
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - default
    hostname: oauth
    command:
      - --cookie-domain=MYDOMAIN
      - --auth-host=oauth.MYDOMAIN
      - --url-path=/_oauth
      - --secret=SECRET
#      - --log-level=debug
      - --log-level=info
      - --log-format=text
      - --lifetime=86400 # 1 day
      - --default-action=auth
      - --default-provider=google
      # Restrict to google workspace accounts
      - --domain=MYDOMAIN
      # Whitelist my personal email though...
      - --whitelist=MYEMAIL
      - --match-whitelist-or-domain
      # Google auth config
      - --providers.google.client-id=MYCLIENTID
      - --providers.google.client-secret=MYSECRET
    environment:
      - TZ=US/Eastern
    expose:
      - 4181/tcp
    labels:
      # provide google oauth middleware redirect for services (use this: 'oauth' to enable on services)
      - "traefik.http.middlewares.oauth.forwardAuth.address=http://oauth:4181"
      - "traefik.http.middlewares.oauth.forwardAuth.authResponseHeaders=X-Forward-User"

      # oauth website itself
      - "traefik.enable=true"
      - "traefik.http.routers.oauth.rule=Host(`oauth.MYDOMAIN`)"
      - "traefik.http.routers.oauth.tls=true"
      - "traefik.http.routers.oauth.tls.certresolver=leprod"
      - "traefik.http.routers.oauth.entrypoints=websecure"
      # WTF do we need this? See here: https://github.com/thomseddon/traefik-forward-auth/issues/11#issuecomment-885445763
      - "traefik.http.routers.oauth.middlewares=oauth"

      # Watchtower auto-update
      - "com.centurylinklabs.watchtower.scope=auto-update"

@0xEmma
Copy link

0xEmma commented May 28, 2024

image
Same thing,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
under review
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix too many forward_auth cookies orvice/traefik-forward-auth
9 participants
@thomseddon @dalanmiller @stevietv @stuckj @kevtainer @SuperSandro2000 @hagak @SalmonSays @0xEmma