Hello all,
I am setting up roundcube in a dockerized environment, and am trying to enable authentication over oauth. My setup:
- Traefik reverse proxy for all http(s) traffic. Automatic redirect to https, using letsencrypt for automatic certificate issuance/renewal. Confirmed working on a few websites (redirecting all http traffic to https always)
- docker-mailserver - set up under mail.example.com. Confirmed working, both send and receive over TLS etc. Mail service ports are not fronted by Traefik.
- Roundcube, vanilla (no plugins). Under webmail.example.com. Fronted by traefik. Can send/receive emails using password authentication using my mailserver. Set up like here : https://hub.docker.com/r/roundcube/roundcubemail/#! more detail here : https://github.com/roundcube/roundcubemail-docker/blob/master/examples/docker-compose-fpm-alpine.yaml
- Roundcube, as other services, is redirected to https, and served with a valid certificate from letsencrypt.
- Authelia authentication server. Also fronted by traefik. Under auth.example.com. Confirmed working - can authenticate against other services on my root domain *.example.com
So, now begins the interesting part - I set up roundcube oauth to authenticate against my authelia server, like described here :
https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2 and also here:
https://github.com/authelia/authelia/discussions/7048.
Once i enter webmail.example.com, I am redirected to auth.example.com. I do my login-stuff, and expect to redirected back to roundcube. However, I get an error, originating from my authelia backend, saying
Redirect URL is using an insecure protocol. http is only allowed for hosts with suffix "localhost ..." - this is after having added
http://webmail.example.com/index.php/login/oauth in the list of allowed redirection uris in authelia. If I use only the http
s variant in authelia config, the process errors out sooner, since authelia rejects the login attempt without asking for credentials if the redirect url isn't in its allowed list.
From Authelia documentation, I know that Authelia is hard-coded to reject insecure redirect uris.
So my question is : how come roundcube is asking authelia to redirect back to
http://webmail.example.com, instead of http
s://webmail.example.com? I see, that nowhere in the process do I provide the roundcube container with the FQDN webmail.example.com, neither with http nor https. Therefore, roundcube must be getting this from somewhere else, most certainly traefik. But what I don't understand, is why it picks up the insecure variant, whereas traefik is explicity configured to never serves that up.
From Authelia forums/issue tracker, I know there are confirmed cases where the combination authelia+roundcube works - so I strongly suspect the issue to sit on my side of the keyboard, maybe in configuring the interplay with traefik reverse proxy. I would really appreciate it, if someone could point me in the right direction.
Greetings,
Indriði.
