Using Fusionauth in Traefik forwardauth middleware

Hi,

has anyone used Fusionauth in Traefik to secure container access through forwardauth middleware?

https://doc.traefik.io/traefik/v2.4/middlewares/forwardauth/

trying to figure out right now how to do this.

br Michael

you can add to the database_url: ?ssl=true&sslmode=require (pick the mode you actually require)

if your server supports tls1.3+ you should force 1.2 on the client:
FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS="-Djdk.tls.client.protocols=TLSv1.2"
(https://fusionauth.io/community/forum/topic/938/secure-db-connection-with-tls-1-3/4?_=1629097757303)

no worries around it.

Cockroach itself provides great support to run within kubernetes / running in multiple availability zones with automated sharding. (not the average use case^^)

whenever it will be fixed on the cockroach side https://github.com/cockroachdb/cockroach/issues/40963?version=v20.2 then I will of course report here if it works.

So far we are using fusionauth with cockroachdb and this is the only error that has pooped up till now.

Would it be possible to change the Query to something like:

DELETE FROM 
  user_registrations_application_roles 
WHERE 
  user_registrations_id IN 
    (
      SELECT 
        user_registrations.id
      FROM
        user_registrations
      WHERE
        user_registrations.id = user_registrations_application_roles.application_roles_id
        (...)
    )

So far we are using fusionauth with cockroachdb as our database. PW Logins are working.

Right now the only remaining problem we see is with:

DELETE
      FROM user_registrations_application_roles USING user_registrations
      WHERE user_registrations_application_roles.user_registrations_id = user_registrations.id AND (...)
      ^
  Hint: You have attempted to use a feature that is not yet implemented.
See: https://go.crdb.dev/issue-v/40963/v20.2

I cannot see the remainder of the query, but would it be possible to remove the "USING"?

Solved by:

        - name: FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS
          value: "-Djdk.tls.client.protocols=TLSv1.2"

I am trying to connect to a postgres db system with ssl, the tls1.3 config seems to have something in the certificate so that the handshake fails (all other clients I use with nodejs and python work with it)

jdbc:postgresql://hostname:26257/fusionauth?ssl=true

so far it seems like openjdk had a bug with this https://bugs.openjdk.java.net/browse/JDK-8236039

any ideas of how to solve it?

Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:90)
at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:819)
at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:923)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:167)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1462)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1370)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:41)