Error on getting the build logs
Everything is working as expected with the exception of receiving "Error on getting the build logs" when performing an action on a workspace (docker container) in the UI
I note on the frontend in console
WebSocket connection to 'wss://<MY DOMAIN>/api/v2/workspaceagents/ba345d10-1986-4879-8747-32a2dd4e67b7/logs?follow&after=0' failed
and in Chrome developer tools network tab I get
logs?follow=true&after=-1 Finished websocket index-635f8de7.js:174 0 B 21 m
Can anyone point me in the right direction to get this sorted so that build logs are displayed in the UI?
Everything appears to be working apart from this.
19 Replies
<#1210388346182828062>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
SERVERIP - - [23/Feb/2024:00:55:28 +0000] "GET /api/v2/workspacebuilds/3f26a902-63f6-45e8-8d46-5d763af4c986/logs?follow=true&after=-1 HTTP/1.1" 403 262 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-" "/api/v2/workspacebuilds/3f26a902-63f6-45e8-8d46-5d763af4c986/logs?follow=true&after=-1"174 0 B 21 m
from nginx access log I'm revieving 403 for this request
Bump on this ...
I've tried everything I can think of
Have you configured your nginx to allow connection upgrade? See our example snippet here: https://github.com/coder/coder/tree/main/examples/web-server/nginx#configure-nginx
GitHub
coder/examples/web-server/nginx at main · coder/coder
Provision remote development environments via Terraform - coder/coder
I am running coder from behind Authelia and Authelia has a proxy.conf include below
## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
proxy_set_header Connection "";
## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
I commented out proxy_set_header Connection ""; and thought everything would be okay but I was wrong.
I commented out Authelia's use of coder's nginx example and appended them below the proxy_pass in the location block.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
After the build logs would display in the UI.
So if you're interested in implementing MFA with Coder using Authelia I can confirm that it does work and an instructional would be very easy to write up and I would be willing to do so as a means to contribute back to the community. Please let me know.
Authelia will pass headers from auth_request_set
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email
and if CODER_DISABLE_PASSWORD_AUTH=true is set then perhaps the $user or $email could be used for automatically logging the user inThanks for the info! Yep, that sounds about right. For websockets you need both
Connection and Upgrade headers, so it looks like your nginx wasn't passing that along.
We're always happy to accept PRs! If you're interested in writing this up, this sounds like it could be a good page under docs/guides (https://github.com/coder/coder/blob/main/docs/guides/)
Feel free to tag me (@johnstcn) for review if you do!If I make changes to https://github.com/coder/coder/blob/3e6e1e6f1014435578411a86b7dd514ec2db16b4/coderd/userauth.go#L317 and https://github.com/coder/coder/blob/3e6e1e6f1014435578411a86b7dd514ec2db16b4/coderd/users.go#L389 to use the $user header returned by Authelia and have it not perform password auth can I essentially have my Authelia user signed in automatically after performing login and MFA using Authelia? I have only had a very brief look and iundertand there may be some more complexities involved hence why I am asking you for advice.
GitHub
coder/coderd/userauth.go at 3e6e1e6f1014435578411a86b7dd514ec2db16b...
Provision remote development environments via Terraform - coder/coder
GitHub
coder/coderd/users.go at 3e6e1e6f1014435578411a86b7dd514ec2db16b4 ·...
Provision remote development environments via Terraform - coder/coder
This is how it currently works
I would like to disable password authentication and use the header passed from Authelia to login as a specific user. If you could point me to the relvant sections of code I will have a crack at making this happen. I'm also open to any ideas as I know that sometimes I take a convoluted approach to something that can be achieved more easily.
This appears similar to an existing issue: https://github.com/coder/coder/issues/11901
I would advise that this is not a trivial issue to implement, but that once it is completed it should be relatively generic and applicable to essentially any auth provider
GitHub
☂️ support for external authentication via identity-aware proxies (...
This is an umbrella issue to track support for external authentication via identity-aware proxies ("header-based auth") such as Google Cloud IAP, Microsoft Entra Application Proxy, and AW...
We do plan on supporting this, but a bit later in the year (likely April to June)!
Thanks for the heads up and me wasting time hacking together a solution that would probably be insecure and buggy at best 🙂