Reverse proxy authentication to Woodpecker CI and Gitea#837
Reverse proxy authentication to Woodpecker CI and Gitea#837pboguslawski wants to merge 19 commits into
Conversation
This mod adds option to authenticate user using HTTP header set by reverse proxy. It forwards specified HTTP header with authenticated username in requests to Gitea. Requirements: * Gitea must be configured for reverse proxy authentication and must accept HTTP header auth in API calls (go-gitea/gitea#15119). To enable set the following variables in woodpecker server environment (woodpecker running behind reverse proxy): * internal woodpecker server URL, i.e.: WOODPECKER_HOST_INTERNAL=http://192.168.1.100:8000 * enable reverse proxy auth in woodpecker and forwarding auth header to gitea: WOODPECKER_GITEA_REV_PROXY_AUTH=true * set name of header with authenticated username (set by reverse proxy), i.e.: WOODPECKER_GITEA_REV_PROXY_AUTH_HEADER=X-Forward-Username Related: go-gitea/gitea#15119 Author-Change-Id: IB#1107569
Fixes: f3e08a2 Author-Change-Id: IB#1107569
qwerty287
left a comment
qwerty287
left a comment
There was a problem hiding this comment.
- Docs are missing, please add them.
- Please remove the chsnged copyright headers, we do this nowhere else.
qwerty287
left a comment
qwerty287
left a comment
There was a problem hiding this comment.
I don't fully understand this PR, but why do you disable OAuth2 for the rev proxy auth? I'm not an expert with reverse proxies, but shouldn't it be possible to use OAuth2 with them?
If you use proxy for authentication, proxy is responsible for this and backend apps like gitea or woodpecker should trust it (user login passed in specified header). Because woodpecker must authenticate to gitea using HTTP call, it must also be able to forward header with user login to authenticate user in gitea. OAuth2 is different/separate auth logic and I don't see any point in trying to use it along with proxy auth using HTTP headers. |
Fixes: f3e08a2 Related: woodpecker-ci#837 Author-Change-Id: IB#1107569
Fixed. |
|
well sorry that we dont come allong to review it ... @pboguslawski what realy would help us is some docker-compose with such an auth-proxy in it ... so we can test it and play around with it |
|
Providing container infrastructure setup script/description for header auth is not easy, requires time and is outside the scope of this PR (feel free to create separate issue if required). For simple tests consider setting or using your favourite proxy (i.e. apache, nginx, haproxy) in front of woodpecker + gitea backends with hardcoded |
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
|
CI failed :/ (lint issue) |
anbraten
left a comment
anbraten
left a comment
There was a problem hiding this comment.
OAuth2 works just fine. As miss-configurations of the reverse proxy setup could lead to some serious security issues I will close this PR now. Anyways Thanks for your work.
4 participants
This mod adds option to authenticate user using HTTP header set by
reverse proxy. It forwards specified HTTP header with authenticated
username in requests to Gitea.
Requirements:
must accept HTTP header auth in API calls
(Allow Token API calls be authorized using the reverse-proxy header go-gitea/gitea#15119).
To enable set the following variables in woodpecker server
environment (woodpecker running behind reverse proxy):
internal woodpecker server URL, i.e.:
WOODPECKER_HOST_INTERNAL=http://192.168.1.100:8000/
enable reverse proxy auth in woodpecker and forwarding auth
header to gitea:
WOODPECKER_GITEA_REV_PROXY_AUTH=true
set name of header with authenticated username (set by
reverse proxy), i.e.:
WOODPECKER_GITEA_REV_PROXY_AUTH_HEADER=X-Forward-Username
Related: go-gitea/gitea#15119
Author-Change-Id: IB#1107569