https authentication unavailable when using cloudflare tunnels

[siegfriedclarke]

I'm having difficulty troubleshooting authentication on a small instance of inventree that I'm using for testing.

Error Description
When accessing this instance over HTTPS, no user is able to authenticate. On the standard login page this presents as an immediate redirect to an Authentication Failure page. For browsers that had an authentication cookie already, this presents as 403 Permission Denied when trying to do any action.

When accessing over HTTP, there is no such issue.

The issue seemed to arise following an upgrade from an earlier version in which i seemed to encounter the same problem as discussed in Issue 6751.

Much like benpayne, on setting INVENTREE_SITE_URL, the issue resolved - but only for HTTP.

Deployment Description
This is a bare metal deployment of inventree 0.14.2.

The server resides in the same network as a Cloudflared client.

Cloudflare is configured to route https://inventree.[mydomain].com to the IP of the inventree server. My understanding is that the traffic from cloudflare to the cloudflared client is encrypted over HTTPS (with cloudflare certs), while the last bit of traffic from cloudflared client to inventree server is then over HTTP.

I have set
INVENTREE_SITE_URL to https://inventree.[mydomain].com and
INVENTREE_TRUSTED_ORIGINS to https://inventree.[mydomain].com, http://inventree.[mydomain].com, http://localhost

I have also temporarily set INVENTREE_ALLOWED_HOSTS to *

Questions
Is there anything obvious I'm missing here?
I've reviewed the error logs at the /admin/errors url and can't identify anything; Does inventree keep login attempt logs that might help me troubleshoot this - if so where?

[albadedan]

I am having the same issue, although I am using a docker deployment.

[GilDev]

Same issue with a Docker Compose deployment.

[albadedan]

Having played around with it for a bit, I was able to have success with the following configuration. The only issue is that I haven't worked out why it suddenly started working.

# .env file

# Site URL - update this to match your host
INVENTREE_SITE_URL="http://inventree.domain.com"
INVENTREE_TRUSTED_ORIGINS="http://inventree.domain.com,https://inventree.domain.com"

Cloudflare tunnel public hostname:
type: HTTP
URL: server-ip:portnumber

This next step shouldn't make any difference, but I have had issues in the past where this appears to have solved the problem.
Go to Cloudflare DNS records, edit the CNAME record for the tunnel path, turn off Proxy status, Save. Then turn it back on again.
Like I say, that last step shouldn't be required, I think it has just become an auto-pilot troubleshooting step for me.

[albadedan]

So I don't host Inventree anymore. I was just testing it out to see if I could integrate it with another system.
When I was hosting it though, it would have been a standard IPv4 address for the server. 12.345.678.901:80, or whatever port you are using.

[kenkanadi]

Thanks for responding so quickly!
IT WORKS!!!
Thank you

[GilDev]

Hey, could you please list your configuration @kenkanadi? I’m still having trouble configuring this…

[jacobburrell]

Hey @GilDev this finally worked for me.

The only modification I did was to modify the trusted origins and site url.

INVENTREE_TRUSTED_ORIGINS="http://localhost:1234,http://sub.domain.com,https://sub.domain.com"
INVENTREE_SITE_URL="http://sub.domain.com"

INVENTREE_WEB_PORT=1234

As I pointed the web port to 1234 I directed Cloudflare to use a public hostname of http type to localhost:1234

[GilDev]

I can’t set the INVENTREE_SITE_URL variable to a HTTPS URL right? But I have a .dev TLD so I’m forced to use HTTPS.