Concourse 4.x HTTP ERROR 400 on http_basic auth in UI


#1

Hi,

since version 4.0 (we tested 4.1 too) we are unable to log into our Concourse using the basic auth method.

Our setup:
Bosh cluster deployment using concourse-bosh-deployment

bosh vms -d concourse

Deployment 'concourse'

Instance                                     Process State  AZ  IPs          VM CID                                   VM Type  
db/0d48a071-3821-4145-a2ec-82fb09cc279d      running        z1  172.27.1.31  vm-a9cc448f-22df-4645-8e22-db91d629a50d  small    
web/00abb06c-7491-4fca-b169-5fcfbf5df9f6     running        z1  172.27.1.33  vm-c283405e-52bf-44cf-86aa-c7ff00aaa0d6  medium   
worker/6a00bfb5-a8c9-4aaf-9646-c74448b2243a  running        z1  172.27.1.34  vm-d2e284aa-3b75-4e48-b9c6-9970496a9ca2  large    
worker/78345867-1749-4edc-a09c-c90a71ca429e  running        z1  172.27.1.32  vm-eda36f85-f562-4946-b775-fa95fc7b18de  large   

Our routing is configured that 5.22.148.171 redirects to 172.27.1.1 which is the standard router for 172.27.1/24.

Our external URL in the concourse manifest is https://5.22.148.171:8080

We added our standard user using the concourse-bosh-deployment ops file https://github.com/concourse/concourse-bosh-deployment/blob/master/cluster/operations/basic-auth.yml.

We can see the home screen of Concourse under https://5.22.148.171:8080 and a click to login
redirects us to the login form https://5.22.148.171:8080/sky/issuer/auth/local?req=<req_id> which is also displayed.

When we enter wrong Concourse credentials, the form receives a tooltip that indicates that the credentials are invalid. If we enter valid credentials, our redirect to https://5.22.148.171:8080/sky/callback?code=<code> receives a HTTP error 400 response.

best,
D


#2

We could find out that the problem only happens on a redirect. When we use a VPN to access the private ip of the web instance 172.27.1.33 directly, our authentication works fine.


#3

Any ideas of the fix for this? I’m having the same issue using an HAProxy


#4

Hi mylucidreality,

we could resolve the problem.

Our domain for our Concourse resolved to our ha-proxy public ip which then redirected the request from 5.22.148.171 to our private network where Concourse was deployed.

After changing the external_url to the domain name, in our case https://ci.de.a9s.eu we could reach the Concourse UI and authenticate using oauth.

Please note that while using https in the external URL your SSL cert must currently be issued by a TA as we could not find a skip-ssl-validation flag for self signed certs (@vito could you add one in future releases?).

In our case the workaround was to let the ha-proxy perform the SSL termination.

If you need further support, don’t hesitate to ask.

best,
D


#5

Could this be the same as https://github.com/concourse/concourse/issues/2463?


#6

@vito yes, looks like.

  1. Are you using local user based auth exclusively? (i.e. no GitHub or other external auth provider)
  2. Did you intentionally prohibit your web node from being able to reach the internet? Or was it an oversight/limitation?
  3. Would you be able to permit outbound traffic?
  1. We do use local user based auth exclusively
  2. u. 3. We are using vSphere without any restriction on our Staging to let the node reach out.

Let me know if you need more debug info from our system. After changing the external URL and perfoming SSL term on our self signed cert on ha-proxy 4.0.0 works like a charm.

best,
D