Proxy a site with a login form, can't login

Ramshackles · February 24, 2019, 10:40am

Hello all,

Trying to proxy a website to be able to have it in Organizr tab/iframe (requires removing x-frame-options, got this part working)

However the foreign/destination website has a login form and it won’t accept my login, it might be looking at referer/host.

nb.example.com {
  log /caddy/logs/sub_access.log {                          
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
 
  errors /caddy/logs/sub_error.log {                        
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  } 

proxy / https://norbits.net {
   transparent
   #websocket	
   header_downstream X-Frame-Options ALLOWALL
}
}

Can this at all be done?

Thanks in advance

Edited; put in real domains in question

Whitestrake · February 25, 2019, 1:16am

Can you elaborate on this? What happens when it won’t accept your login? Is there an error produced by the site? The nature of the failure here might provide some clues to a fix.

Ramshackles · February 25, 2019, 9:26am

I’m actually trying to proxy 2 different sites, and got them mixed up in my initial post sorry.

This one (proxy to norbits) doesn’t actually get me to the login form, it just returns a 502 bad gateway.
The console only says; GET https://nb.example.com/favicon.ico 502

I’ll open another topic for the other one at a later time (the one that gave me the login form just refreshes, no error in console except some javascript).

Whitestrake · February 25, 2019, 10:04am

I’ll bet any money that it’s setting your login via cookie with the cookie domain set to the original domain (not your own website’s domain). When it tells your browser to refresh after setting the cookie, it expects your browser to send that cookie on the new connection, but it doesn’t because the domain doesn’t match, hence not logged in (and no error).

Ramshackles · February 25, 2019, 10:24am

And I’ll bet there is no way to circumvent this right?

Whitestrake · February 25, 2019, 10:35am

I expect not. You’d need to have to intercept the cookie being set and alter it so it’s set for your own site.

Track this PR which exists to add the functionality you’ll need: https://github.com/mholt/caddy/pull/2144

Ramshackles · February 25, 2019, 11:48am

Thanks, I’ll track that PR.

Any idea about the current one with norbits.net? Also cookies? Or is something else the root of the 502?

Thanks

Whitestrake · February 25, 2019, 1:40pm

Throw a curl -IL https://norbits.net from the Caddy host and let us know what you get.

Ramshackles · February 25, 2019, 1:46pm

C:\Users\Administrator>curl -IL https://norbits.net
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 25 Feb 2019 13:42:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.40-1+0~20190111135530.9+stretch~1.gbp5f42c9
Location: /login.php?returnto=%2F
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Feb 2019 13:42:55 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
X-Powered-By: PHP/5.6.40-1+0~20190111135530.9+stretch~1.gbp5f42c9
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Moved temporarily

Whitestrake · February 25, 2019, 1:57pm

I’m not seeing anything there that should cause a 502.

Can you launch Caddy with fresh access and error logs, make a request to your site to trigger the proxy, and then copy the error and access logs here as well?

Ramshackles · February 25, 2019, 2:02pm

nb_access.log;

192.168.1.1 - - [25/Feb/2019:14:59:40 +0100] "GET / HTTP/2.0" 502 16
192.168.1.1 - - [25/Feb/2019:14:59:41 +0100] "GET /favicon.ico HTTP/2.0" 502 16

nb_error.log

25/Feb/2019:14:59:40 +0100 [ERROR 502 /] EOF
25/Feb/2019:14:59:41 +0100 [ERROR 502 /favicon.ico] EOF

Whitestrake · February 25, 2019, 2:05pm

I think I might have figured it out!

Run curl -IL -H "Host: nb.mymai.dk" https://norbits.net from your Caddy host and tell me if you get a curl: (52) Empty reply from server.

Ramshackles · February 25, 2019, 2:09pm

Indeed, exactly what I got

Whitestrake · February 25, 2019, 2:11pm

The nginx server at norbits.net is configured to drop connections for the wrong Host. You’ve set the transparent preset for your proxy, which among other things sets Host header as the host the client originally requested (your own site). Hence, when users proxy through your Caddy, the upstream nginx drops the connection made by Caddy (wrong Host).

Drop transparent and try again.

Ramshackles · February 25, 2019, 4:07pm

That works, and apparantly they don’t do the same with the cookie since I can login aswell.

Oh well, now just need that PR

Thanks for all your help!

system · May 26, 2019, 4:07pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.