Dashboard 2 behind authenticating reverse proxy

Hi guys.

I'm running Node-RED behind an authenticating reverse proxy (Traefik 2 with thomseddon/traefik-forward-auth Azure AD OIDC).

Works perfectly fine for Node-RED (and everything else I run), but not for Dashboard 2. Initially I have no problems. I can open and use the Dashboard from my iPhone, but when I open the same tab again some time later I'm met with a white screen. No error messages, nothing. A refresh doesn't do anything. The only way around it is to open Node-RED in a separate tab where it automatically authenticates and then reopen Dashboard, which then works.

My theory is that this is related to the offline nature of the Dashboard PWA in some way, but I'm way out of my depth here. Why does this affect Dashboard 2 and nothing else? Client side web stuff is not my thing...

So, do you guys have any theory on why this might be happening? Is there a way around it, or is my setup with an authenticating reverse proxy not supported? Is it possible to get the same end result another way (given Azure AD OIDC, and not Okta)?

Hi @Fredrik, thanks for the question, this is definitely behaviour I've seen with others (I know @Colin has had issues here too), and its generally been linked to a timeout of the SocketIO connection we have.

I thought we had fixed the problems, but apparently not!

Just to sanity check, what version of the Dashboard 2.0 package are you running?

Thanks for the quick response. Feels good to know that I'm not alone! :wink: I'm running 1.14.0

Thanks for confirming.

These are difficult ones to debug, especially via phones.

Did you see any notification about losing connection in your Dashboard, before the white screen?

No. I use Dashboard on my phone and it works. When I open it up again later (hours later) I'm met with a white screen. If I open it up just minutes later I get the 'Connection re-established' dialog and everything works so it obvious that it's related to a longer timeout of some kind. That's why I thought it related to authentication. The feeling I get is that it's not able or willing to use the existing authentication token but if I re-authenticate the session using another Node-RED URL it starts working again.

At first I thought it was because I hade it installed as a 'Home Screen app' but I get the same result in Safari as a regular web page tab.

So we did have a 30 minute timeout, and give up if no connection, but we recently changed it to link to the number of attempts so that the browser would still try on a re-open of a browser.

Seems as though weve not accounted for all use cases though.

I think I'm edging closer to just enforcing a page refresh at that point, as it fixes a lot of our problems, and would enforce the authentication prompt

I agree, see also Yet Another PWA Hang - after dashboard (or node red) update · Issue #1042 · FlowFuse/node-red-dashboard · GitHub which is another case where an apparently unrecoverable error has been encountered and we just hang at that point. I think anywhere that a complete failure is detected it should show a notification saying that it has failed and will reload the page in 30 seconds, or whatever. So if the failure really is permanent then at least it will not just sit there doing nothing.

However, I must also say that I use the dashboard extensively on Android devices and have not seen the problem that @Fredrik is reporting since the improvements made in earlier versions, so I wonder whether it is Apple related in some way.

@Fredrik, when you get the white screen, if you force a refresh (on an Android device this is done by swiping down) what happens?

I have just looked at the code again in ui/src/main.mjs and in fact if it has not recovered after the scheduled retries then it does already reload the page, so there are not many places that it does now hang.

@Fredrick are you absolutely certain that you are using the latest version of the dashboard on this system? Check the node red startup log to check. Also, have you tried uninstalling the PWA app on the phone and redoing it, in case the app still relates to an earlier version.
When you get the failure in Safari what do the developer network tools show?

A refresh doesn't seem to do anything, I'm still getting the same white screen.

However, if I open a new tab and navigate to any Node-RED URL, switch BACK to the old Dashboard tab and THEN press refresh the Dashboard opens and reconnects.

I'll try removing and reinstalling and then test it again.

Have you tried looking at the developer console in Safari? Or using remote debugging to see the console when running on the phone, assuming you can do that on and apple like you can with Android.

So this is exactly the same workarounds that were required when we first saw this issue, and is linked to the PWA/SocketIO problems.

Sorry to see you're hitting this problem, but hopefully we can find a "final" solution to sorting it out

@Colin not sure how to check the dev console on an iPhone. I think you can do it in Xcode but I've never tried.

I've been playing around with this and gotten a bit further.

I started by making sure that I was running the latest version by uninstalling and completely removing and then reinstalling Dashboard - didn't help.

After that I removed the full screen 'Home Screen app'-shortcut, closed all tabs, deleted Safari history and cache and tried again - and it worked!

Thinking that I'd solved it I then recreated the Home Screen shortcut - and it stopped working again. The full screen app and the Safari tab both. Interestingly enough the mere existence of the 'Home Screen' shortcut seems to break the Safari tab as well. After once again removing the shortcut the Safari tab started working again, so as long as the Home Screen shortcut exists both itself and the Safari tab starts exhibiting the same white screen behaviour.

Don't ask me to explain it, but it looks like Apple's doing some weird stuff with the full screen web apps that even affects the same app in a regular Safari tab.

I would have enjoyed having the Dashboard as a Home Screen app but that's definitely something that I can live without, so hopefully this isn't some temporary fluke and it'll continue working for me!

Are you able to test it in an android phone? That will tell us if it an Apple issue or something in your node-red server setup, your authentication setup for example.

When it is working in Safari what do you see when required to authenticate?

Sorry no, I haven't got any Android device.

When required to authenticate I see the redirection to Azure AD for the token refresh (login.microsoftonline.com/common/oauth2/...), the interactive authentication flow (usually not necessary since I'm already authenticated), and then the redirection back to Node-RED.

Is the url publicly accessible? If so would you be able to PM it to me and I will try it myself. I won't need to logon, just check that it redirects to the login page.

On second thoughts that won't work as I won't be able to setup the shortcut without logging on.

Found something! When Dashboard reloads it tries to redirect to login.microsoftonline.com for auth and fails with:

I don't think that I set the Access-Control-Allow-Origin response header anywhere. Are you?

1 Like

@hardillb do we set anything specific here for FF Auth?

i had (maybe have :stuck_out_tongue_closed_eyes:) the same problem. I set the Access-Control-Allow-Origin in nginx with:

server {
  listen 443;  ....
...
...
...

  add_header 'Access-Control-Allow-Origin' 'https://auth.xxxxxxxxxx.com' always;

  location /dashboard {
        add_header 'Access-Control-Allow-Origin' 'https://auth.xxxxxxxxxx.com' always;
...
...
        proxy_pass http://localhost:1880/dashboard;

   }
}

nuke all caches in firefox, the it works most of the time...

1 Like