ronnie_bonkers, 3 months ago

@jpmens is the authentication send to the backend server?
I have a Nginx proxy which handles basic authentication and i needed to remove the headers from the upstream request to not confuse the service running there.

proxy_set_header Authorization "";

zimpenfish, 3 months ago

@jpmens Had the same problem with Hugo’s livereload websocket. Solved it by creating a cookie after the first successful login and using that as an alternate authentication method. Not ideal at all but the only way I could find to avoid this with Safari.

This is my nginx configuration.

map $cookie_thingauth $mysite_hascookie {
  "COOKIE_VALUE" "off";
  default "auth/realm";
}
...
location /xyz/ {
  auth_basic $mysite_hascookie;
  auth_basic_user_file "/pw/file";
  add_header Set-Cookie "thingauth=COOKIE_VALUE;max-age=86400;path=/;secure";
  ...
}

thingauth and COOKIE_VALUE have to match between the two blocks.

Hopefully that helps and if there’s a better solution, I’d love to know myself.

jpmens, 3 months ago

deleted_by_author

zimpenfish, 3 months ago

@jpmens Yeah, auth/realm should probably match the other locations.

I can definitely see my cookie from my site in the Safari devtools under Storage/Cookies. No idea why it wouldn’t show up other than maybe there’s a filter applied? Although it disappears if I hit the refresh icon, weirdly, but comes back if I access the page again.

shaft, 3 months ago

@jpmens May be the "retry=60" on the "ProxyPass /owntracks/ws" line ? 🤔

jpmens, 3 months ago

deleted_by_author

shaft, 3 months ago

@jpmens It gave me strange results once in a non-ws proxy situation, so I asked :)

antondollmaier, 3 months ago

@jpmens TheForeman configures their websockets like this:

#Upgrade Websocket connections
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) http://localhost:3000/|ws://foreman/$1 [P,L]

I suppose you've already combed through the browser error console and found nothing.

stroobl, 3 months ago

@jpmens Educated guess: some timeout config. Socket times out and needs new auth? Eg https://httpd.apache.org/docs/trunk/mod/mod_proxy_wstunnel.html#proxywebsocketidletimeout

jpmens, 3 months ago

deleted_by_author

dirksteins, 3 months ago

@jpmens this configuration works for the websockets in confluence:

<Location /synchrony>
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:1111%{REQUEST_URI} [P]
</Location>

Edit: yes, also with Safari, but it doesn’t use BasicAuth. So it may help or not.

jpmens, 3 months ago

deleted_by_author

dirksteins, 3 months ago

@jpmens damn. Good luck then.

schmic, 3 months ago

@jpmens I found this, not sure if it helps: https://support.jitbit.com/helpdesk/KB/View/47960847-continuous-authentication-prompts-on-safari-on-ios-when-using-windows-auth

jpmens, 3 months ago

deleted_by_author

schmic, 3 months ago

@jpmens With all the linked and link-linked bug reports behind this one I have not found a single server-side related idea though.

There are some thoughts about disabling compression for the specific user-agents but some reported it would not help.

Good luck.