OIDC behind reverse proxy causes connection loop

[baptisterajaut]

Hello gentlefolks.

I have a particular problem.
I'm supposed to have about 15 differents apache servers behind various oidc configuration, so i built a custom docker image that listens to a full path and manage oidc. This image works flawlessly.

Heres the config :

LoadModule auth_openidc_module modules/mod_auth_openidc.so

<VirtualHost *:80>

    ServerAdmin admin
    DocumentRoot /var/www/

    #this is required by mod_auth_openidc
    OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer

    OIDCProviderMetadataURL ${OIDCProviderMetadataURL}

    OIDCClientID ${OIDCClientID}

    OIDCClientSecret ${OIDCClientSecret}

    OIDCRedirectURI ${OIDCRedirectURI}
    OIDCXForwardedHeaders X-Forwarded-Port X-Forwarded-Proto Forwarded X-Forwarded-Host
    RewriteEngine On
    <If "'${SubPath}' != 'NOTCHANGED'">
        RewriteCond %{REQUEST_URI} !(.*)/$
        RewriteRule ^(.*${SubPath})$ $1/ [L,R=301]
    </If>
   
    <Location />
        AuthType openid-connect
        Require claim role:${role}
    </Location>
    <Location /${SubPath}>
        ProxyPass "http://localhost"
        ProxyPassReverse "http://localhost"

     </Location>
</VirtualHost>

With this $SubPath variable being the subpath of the domain i use (domain.com/bar/foo being bar/foo as a subpath)

In order to not have 15 different lines on my load balancer, i made a stupid reverse proxy using a server host as subpath
Here's what i mean :

<VirtualHost *:80>

    ServerAdmin admin
    DocumentRoot /var/www/
    ProxyPreserveHost On
    RequestHeader set X-Original-URI ${Path}
    RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
    RequestHeader set X-Forwarded-Host expr=%{HTTP_HOST}
    RequestHeader set X-Forwarded-Port expr=%{SERVER_PORT}
    
    RewriteEngine On

    <LocationMatch ^/${Path}(.*)$>
            ProxyPass "http://$1"
            ProxyPassReverse "http://$1"
            
    </LocationMatch>
</VirtualHost>

with $Path being in the above example "bar/" so when i access bar/foo i go to a docker container named foo.

This oevrall works but the redirect part is thrown into a loop between the oidc provider and the oidc redirect url (usually bar/foo/redirect_uri )
If i squeeze that "smart" reverse proxy and put directly bar/foo in my load balancer, everything works flwalessly. Liekwise, once i'm logged, that "smart" reverse proxy setup works. But when i want to login using that setup it loops until i get the following error :
the number of existing, valid state cookies (7) has exceeded the limit (7), no additional authorization request + state cookie can be generated, aborting the request

I guess i'm missing something simple but i can't figure it out. Also no help from searching for my issue, and chatgpt is not really of help.

Thanks !

[zandbelt]

the server log would probably tell you what is going on

[baptisterajaut]

Hi.
First of all, thank you for you mainteining work as uptil now, it woked flawlessly without much effort, and secondly, thank you for answering me.
Sadly, all ii get is a vague idea of the problem from the oidc apache :

oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_ytoq0iwA7f5TqgF_qnHHIFF9QF4) has expired (original_url=https://domain.com:80/redirect_uri?state=REDACTED&session_state=REDACTED&code=REDACTED)
oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_fiuqlQ-11I3sQWMgfWzIToR2wjM) has expired (original_url=https://domain.com:80/redirect_uri?state=REDACTED2&session_state=REDACTED2&code=REDACTED2)
oidc_authorization_request_set_cookie: the number of existing, valid state cookies (7) has exceeded the limit (7), no additional authorization request + state cookie can be generated, aborting the request

The reverse server has no error.
This errors tells me :

• it uses port 80 for something it shouldnt. But i tried to set https everywhere with some RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" in the reverse server to no avail.
• redirect_uri is not where it should be, as it should be at domain.com/bar/foo/redirect_uri. EDIT : false flag. Keycloak tells me the redirect uri is indeed correct.

But i don't know where lies the issue...... Or if it's something i suspect at all.

[baptisterajaut]

Ok i think i have moved. Siwtching loglevel to debug i can see on the "smart" reverse:

[client 10.42.81.98:36910] AH00944: connecting http://foo/redirect_uri?state=REDACTED&session_state=REDACTED&code=REDACTED.REDACTED.c112765a-45c1-4215-9ba3-c738575cdad8 to foo:80
[client 10.42.81.98:36910] AH00947: connected /redirect_uri?state=REDACTED&session_state=REDACTED&code=REDACTED.REDACTED.c112765a-45c1-4215-9ba3-c738575cdad8 to foo:80

And in the OIDC :

oidc_get_current_url: current URL 'https://domain.com/redirect_uri?state
oidc_util_request_matches_url: comparing "/redirect_uri"=="/bar/foo/redirect_uri"

It seems the complete url is not preserved through the "smart" reverse proxy. Any idea?

Heres what the config looks like now :

<VirtualHost *:80>

    ServerAdmin admin
    DocumentRoot /var/www/
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Host expr=%{HTTP_HOST}
    RequestHeader set X-Original-URI %{REQUEST_URI}
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    LogLevel debug

    RewriteEngine On

    <LocationMatch ^/${Path}(.*)$>
            ProxyPass "http://$1"
            ProxyPassReverse "http://$1"
            RewriteCond %{REQUEST_URI} \.
            RewriteRule .* - [F]
            ErrorDocument 403 "Nice try but no."
    </LocationMatch>
</VirtualHost>
 

[baptisterajaut]

More info !
After asking chatgpt 4 (we try what we try), i tried this simple-ish config :

<VirtualHost *:80>

    ServerAdmin [email protected]
     DocumentRoot /var/www/
    ProxyPreserveHost Off # On, off, doesnt change much it seems
    RequestHeader set X-Forwarded-Host expr=%{HTTP_HOST}
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Original-URL expr=%{REQUEST_SCHEME}://%{HTTP_HOST}%{REQUEST_URI}
    RequestHeader set X-Forwarded-Port "443"
    LogLevel rewrite:trace3

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/${Path}(.*)$
    RewriteRule ^/${Path}(.*)$ http://$1 [P,QSA,L]
</VirtualHost>

with the rewrite logs being very clear as such :

init rewrite engine with requested uri /bar/foo/redirect_uri
applying pattern '^/bar/(.*)$' to uri '/bar/foo/redirect_uri'
rewrite '/bar/foo/redirect_uri' -> 'http://foo/redirect_uri'
forcing proxy-throughput with http://foo/redirect_uri
go-ahead with proxy request proxy:http://foo/redirect_uri [OK]

But this "smart" reverse proxy still not preserving the current complete url through the proxy.

Is what i'm trying to do impossible?

[rameshkhot08]

baptisterajaut

Are you able to resolve this issue? I am also facing same.

[baptisterajaut]

baptisterajaut

Are you able to resolve this issue? I am also facing same.

Nope. I abandonned this smart reverse proxy alltogether. It was supposed to be a workaround about something having a single entrypoint for many services (while only allowing one service for this entrypoint) but I did something else entirely.