Topics tagged with proxy

Receiving 502 errors when using Cloudflare in front of FusionAuth

dan — Invalid Date

This is due to non-ASCII characters in headers causing an issue in the FusionAuth parsing code. Cloudflare sends headers with non-ASCII characters (such as cf-region: São Paulo) which triggers this issue.

This is a java-http bug that was fixed in 2024, and released in FusionAuth version 1.51.2.

So, two options:

upgrade to a version of FusionAuth 1.51.2 or newer. This is the recommended approach, but may require some work. as an interim workaround, you can disable the "Add visitor location headers" option from your CloudFlare console. This should not have any negative impact, since we do not inspect those headers.

Apache2 reverse proxy setup exposing directory listings and serving unintended files

ctrenner — Invalid Date

@dan The configuration files and logs are inaccessible, assuming you're talking about the ones residing up a directory from /fusionauth-app/.

Thank you for stating the risks of the leakage. The only thing that raised flags here was the default fusionauth.properties file in the template directory had the default database user and password, but those should be, and were, changed when installing.

I will fork and submit a PR later tonight or this week.

Thanks again.

Security and PKCE

dan — Invalid Date

Hiya,

PKCE is great and should be used if supported. This helps prevent authorization code replay attacks, as recommended here: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#page-6

Using a proxy and storing the access token on server side rather than javascript solves a different set of security concerns. Because access tokens are typically bearer tokens and are not sender constrained, anyone who gets them has access to whatever they grant access to.

This means that if your javascript has access to the token, so does any other javascript running on your page. If you are comfortable with that (you've audited all the javascript in all the libraries, and their dependencies to ensure that there's no security issues) then storing the access token may be ok.

Since that level of comfort with javascript libraries is not typical (do you know what is going on in the dependencies of your dependencies? many folks don't), we recommend one of two approaches:

store the access token server side, and use the session to tie the client to the access token (what our blog posts typically do) store the access token in a secure, httponly cookie, so that it is not accessible to javascript, but is sent to any APIs. That's more fully fleshed out here: https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

Of course, you alone know your security posture and what you're comfortable with, but that's what we recommend.

IIS as a reverse proxy?

dan — Invalid Date

We don't have any IIS guides for a proxy, but this guide looks like it would work: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

The key is that version 1.19.x of FusionAuth is completely stateless so the proxy can round-robin and no session pinning is required. If you are using a version of FusionAuth before 1.19, you'll need to pin your session to ensure that you can log into the administrative interface.

Can I use a proxy with FusionAuth?

dan — Invalid Date

There's no supported way. Here's the official docs:

FusionAuth is able to handle all HTTP traffic and any network handling between the browser and FusionAuth should be as simple as possible.

However, this solution was found by a community member (for the docker install). Configure the environment variable:

FUSIONAUTH_ADDITIONAL_JAVA_ARGS: -Dhttp.proxyHost=some.proxy -Dhttp.proxyPort=8210 -Dhttp.nonProxyHosts="localhost|127.0.0.1|10.*.*.*|172.*.*.*"

before you start FA and it should work.