Comments (20)
@desimone so I finally got back to this.
The problem is still present:
- I generate new cookie/shared secret to be sure this is behaving as a fresh start
- I (re)start all the services
- I connect to a protected app
- I get redirected to the authenticate service which redirect me to google signin
- I get redirected back to the protected app and the error below appears
- I can click on
session
and see my session - I can refresh the page and access the protected app
Furthermore:
- if I remove the cookies and reconnect to the app, I can signin and get redirected successfully to the app.
- if I restart the service (but do not delete the cookies), I can signin and get redirected successfully to the app.
- if I restart the service and delete the cookies, I can signin but get the error above.
from pomerium.
@travisgroth @desimone this is fixed in v3.0.0, thanks for your patience.
from pomerium.
@desimone I'm out of my depth in there :) I was hoping for some kind of very simple solution that would retry once on connection failure in this situation or something like that.
Let's also note that this is not a severe bug, even though it's not nice to experience.
from pomerium.
@desimone I will try v0.0.4 very soon and get back to you on this
from pomerium.
@victornoel We started handling transient GRPC issues a bit more gracefully with #261. Can you check on reproducing when you have a moment?
from pomerium.
I've also received a very similar error. I've used Google as the identity provider and after logging in, I'm redirected to a 500 server error.
The logs in the proxy display:
ERR proxy: error redeeming authorization code error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: <nil>"
Environment:
-
Pomerium version: v0.0.3+7bf257f
-
Architecture: Synology/Docker
from pomerium.
I've seen this error when I've down an (unsafe) restart of one of the services. all subconns are in transientFailure
usually means one of the services is down... but this this is especially odd in the context of using it with Synology because these connections would all be over localhost.
@1rootgear Can you tell me a little bit about what was going on prior to the error? Is it intermittent? Any surrounding errors?
from pomerium.
The issue is not intermittent, it consistently provides that error when I try to access the page or refresh after authenticating. So everything starts out appearing as if it will work but after authenticating it redirects to the Pomerium 500 internal server error page.
An error and warning do appear when first accessing the page - before authenticating.
DBG proxy: starting auth flow error="http: named cookie not present" fwd_ip=10.0.1.1 ip=172.17.0.1
ERR authenticate: failed to load session error="internal/sessions: invalid session"
WRN authenticate: authenticate error error="internal/sessions: invalid session"
Then the TransientFailure happens.
I created a debian docker container and compiled Pomperium, however I'm getting similar errors.
ERR authenticate: failed to load session error="http: named cookie not present"
ERR proxy: error redeeming authorization code error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: authentication handshake failed: EOF\"
from pomerium.
The issue is not intermittent, it consistently provides that error when I try to access the page or refresh after authenticating. So everything starts out appearing as if it will work but after authenticating it redirects to the Pomerium 500 internal server error page.
Ahh, okay. My hunch is that there is some sort of configuration error.
DBG proxy: starting auth flow error="http: named cookie not present" fwd_ip=10.0.1.1 ip=172.17.0.1
Means your session is invalid. This is normal if you have not let authenticated. The error could be more clear so I'll fix that.
ERR proxy: error redeeming authorization code error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: EOF"
This makes me think the underlying error is certificate related. Authentication and authorization related actions are made of remote procedure calls over the network via gRPC. In your case, this is a little goofy because the calls are being made over localhost since we aren't running pomerium in a distributed fashion. It looks like the proxy
service is trying to make a TLS connection to the authenticate
/authorize
services on localhost but does not trust the certificate and thus blocks the connection. Are you using
Would you be able to post links to your complete logs / configuration? As you mentioned you are using synology, you can do the following.
For settings,
Docker > Container > pomerium > right click pomerium > export container settings > export.
For logs,
Docker > Container > pomerium > Log > Export > CSV
Be sure to remove any sensitive data like passwords and secret keys before posting. You can also send this to me directly at bobby{my github user name}@gmail.com.
from pomerium.
So the initial DBG proxy: starting auth flow error=
I mentioned is before authenticating, that's when you first attempt to go to httpbin.my-domain.com, for example. If the error is more specific as you mention that could be helpful.
I've tried using AUTHENTICATE_INTERNAL_URL
and AUTHORIZE_INTERNAL_URL
as localhost:443
, in conjunction with OVERRIDE_CERTIFICATE_NAME
- but still cannot get rpc error
to go away.
Looks like you did not finish your sentence "are you using", what were you going to ask?
Synology Docker Pomerium config linked:
https://pastebin.com/VZxne6js
And here are the logs:
https://pastebin.com/faeD8Bji
I should note, this Synology is sitting behind haproxy... however, I've successfully accessed the Synology directly through the reverse proxy while using these certs.
from pomerium.
@1rootgear thank you for attaching your logs and config settings.
I meant to ask if you were using a LetsEncrypt (or universally trusted CA) wild card subdomain tls certificate?
Try:
- (Re)-set
AUTHENTICATE_INTERNAL_URL
andAUTHORIZE_INTERNAL_URL
tolocalhost:443
again andOVERRIDE_CERTIFICATE_NAME
to whatever your wildcard domain is. - Set CERTIFICATE_AUTHORITY or FILE to be whatever your CA's cert chain is.
I'm pretty confident this is certificate and ingress related. Just to explain my thinking a bit...
*_INTERNAL_URL
settings need to be set behind any ingress (haproxy vs nginx shouldn't matter pomerium needs to be told to connect to itself directly over the local socket instead of trying to transverse the network again from the dns domain). Otherwise -- and I've had this happen -- pomerium is going to try to connect back out through the network and then be load balanced by whatever Ingress you are using. Unfortunately few balancers currently natively support HTTP2/gRPC so the request will fail and you'll usually give a vague error of a bad handshake or bad content type depending on your ingress type.
For example, if I follow the synology guide but omit those settings I see something like....
{
"level":"error",
"fwd_ip":"192.168.1.1",
"ip":"172.17.0.1",
"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",
"req_id":"f35b128e-97fe-e696-79e3-704cf5635f7f",
"error":"rpc error: code = Internal desc = transport: received the unexpected content-type \"text/html; charset=utf-8\"",
"time":"2019-04-14T19:32:38Z",
"message":"proxy: error redeeming authorization code"
}
Let me know if that helps; or even if we can get a slightly different error.
from pomerium.
Great! Utilizing CERTIFICATE_AUTHORITY_FILE
worked! I'm using a wildcard Let's Encrypt certificate and now using this CA - Let’s Encrypt Authority X3 (IdenTrust cross-signed)
Just to note, I am also utilizing AUTHENTICATE_INTERNAL_URL
and AUTHORIZE_INTERNAL_URL
to localhost:443
again and OVERRIDE_CERTIFICATE_NAME
as you mentioned.
Now the last weird thing - and I almost commented on it earlier but had edited it out, as I thought it may have been a fluke. My referrer is going through - referer=https://accounts.youtube.com/accounts/SetSID
even after setting IDP_PROVIDER_URL
to "https://accounts.google.com". So right after logging in, the URL is briefly changing to accounts.youtube.com as you'd imagine. This is more of a formality at this point. However, I've checked in GCP and it does not appear that anything is pointing to youtube. Any ideas?
from pomerium.
Glad to hear it's working!
As for why the referrer is going through youtube, I admit that sounds strange and is definitely specific to google. I'm not sure but my best guess is that google logs you into multiple other products including youtube when you complete a SSO request and youtube is the final stop before hitting the pomerioum redirect URL.
See:
- http://teacher-seo.blogspot.com/2012/06/google-is-redirecting-to.html
- https://webapps.stackexchange.com/questions/30254/why-does-gmail-login-go-through-youtube-com
- https://support.google.com/mail/forum/AAAAK7un8RUwWlLUvoO-wU/?hl=en&gpf=%23!msg%2Fgmail%2FwWlLUvoO-wU%2F5xdymIDG5rMJ&msgid=5xdymIDG5rMJ
from pomerium.
@desimone @1rootgear glad you could find a solution. Do we agree that the original description is actually not related to the discussion you just had?
from pomerium.
@victornoel That's right. Sorry to muddy-the-waters.
I think the original reported (though I haven't reproduce it yet) you reported is due to the connection between grpc server/clients being severed and the solution would be to implement layer 4 load balancing [2] to prevent service interruption on restart or upgrade.
from pomerium.
from pomerium.
@desimone Thanks for your assistance, and it looks like according to those links you mentioned that its normal to be logged into many google services at once.
@victornoel Sorry for stealing your thread, I was not sure if it was related in the beginning or not.
from pomerium.
@victornoel Have you seen this recently?
from pomerium.
@travisgroth I may wait for v0.3.0, but if I can I will try to test it yes
from pomerium.
Great. Thanks for confirming!
from pomerium.
Related Issues (20)
- core/authorize: denied response is not an error page anymore HOT 1
- core/config: support direct response HOT 2
- cli reuse port HOT 2
- Path rewriting not working as expected HOT 2
- Add the ability to set the envoy healthy_panic_threshold for an upstream/cluster HOT 3
- Match on header
- docs: Kubernetes supports the headers.{CustomHeaderName} field
- envoy: upgrade to 1.29.2
- core/config: should quit with error on unknown config options HOT 1
- Enhanced Troubleshooting Capabilities for Request and Response Lifecycle
- Integration Test instructions in README are wrong HOT 7
- Add ability to enable TLS Key logging HOT 2
- build-dev-docker.bash script fails on non-Linux when GOBIN is set HOT 1
- Pomerium loops re-reading configuration from CloudRun mounted Secret HOT 2
- Support Regex based host/path rewrites HOT 4
- Support Device authorization flow for programmatic access
- Generate Pomerium-Desktop config by reading pomerium core config HOT 1
- core/kubernetes: user with no groups denied access HOT 1
- Refactor autocert test setup to be clearer
- Two Person Integrity HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pomerium.