Authorization failure loop behind proxy

Drone continually gives me 401’s on the call to /api/user/feed at the end of the login flow with Github. Upon 401 I get cycled back through the login flow which causes a login-loop that triggers the abuse mechanism from Github.

How can I tell why I am getting a 401? I am forwarding the headers through the proxy as well as the host.

I am deploying “drone/drone:alpine” on docker swarm, traffic goes nginx -> oauth2_proxy -> drone master

(for reference

I’m just looking for a way to troubleshoot this since I have no idea what Drone is missing that it desires for authorization to succeed, and how/when that authorization token/header/cookie is supposed to be initialized and persisted for this call to the /api/user/feed

If you place Drone behind a reverse proxy (or in this case two reverse proxies) you need to make sure you the original X-Forwarded-For and X-Forwarded-Proto headers are being passed to Drone (with the correct values) so that it can introspect its own URL which it sends to GitHub during the oauth2 workflow.

Another common issue is the redirect URL being misconfigured in GitHub. For example, if the scheme does not match (http vs https).

If you continue to experience issues I recommend removing some of these layers in front of Drone, and then adding them back one-by-one so you can better isolate the issue.

1 Like

OK Definitely related to the oauth2_proxy that I am using. oauth2_proxy actually authorizes based on github as well, but I wanted to use it because I can use 1 oauth2_proxy to secure multiple backends besides drone. Could this conflict somehow with what Drone needs to do to auth with Github?