Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot log in using API Key... #82

Open
joedima opened this issue Jan 13, 2025 · 15 comments
Open

Cannot log in using API Key... #82

joedima opened this issue Jan 13, 2025 · 15 comments

Comments

@joedima
Copy link

joedima commented Jan 13, 2025

Hi

I am writing this because I have been trying to configure headplane to work with headscale for a few days and I am very frustrated. I am doing something wrong and I do not understand what.

So I have both headscale and headplane running in docker on a VPS server. My reverse proxy is Caddy. I have configured headplane to log in at my.domain.com/admin. The enter API dialog shows up and when I enter the key, it tells me that the key is invalid. Headscale log is telling me that it is missing 'Bearer' prefix from the authorization header.

ERR home/runner/work/headscale/headscale/hscontrol/app.go:357 > missing "Bearer " prefix in "Authorization" header client_address=172.18.0.2:54850

However, when I run a local headscale in a local container and headplane in debug mode with 'pnpm dev', this does not happen. The key is recognized immediately.

If someone is kind enough to point me in the right direction, it would be greatly appreciate it.

Thank you.
@tale
Copy link
Owner

tale commented Jan 13, 2025

Can you send your exact configuration please.

@joedima
Copy link
Author

joedima commented Jan 13, 2025

This is from my docker_compose.yml:

headplane:
container_name: headplane
image: ghcr.io/tale/headplane:0.3.9
restart: unless-stopped
volumes:
- ./data:/var/lib/headscale
- ./config:/etc/headscale
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- '3000:3000'
environment:
DEBUG: 'true'
COOKIE_SECRET: 'cookie_secret'
# HEADSCALE_URL: 'https://my.domain.net'
HEADSCALE_INTEGRATION: 'docker'
HEADSCALE_CONTAINER: 'headscale'
DISABLE_API_KEY_LOGIN: 'true'
HOST: '0.0.0.0'
PORT: '3000'
# CONFIG_FILE: '/etc/headscale/config.yaml'
COOKIE_SECURE: 'true'
# ROOT_API_KEY: 'zabcdefghijklmnopqrstuvwxyz'
ROOT_API_KEY: 'root_api_key'
networks:
- proxy_network

Please let me know if you need more information. Thank you for your help.

@joedima
Copy link
Author

joedima commented Jan 14, 2025

The program requires ROOT_API_KEY no matter what. If it is not specified, it will go in a loop and not serve pages for log in. But since I do not have OIDC set up yet, I do not think it should be need it. It is also confusing because in the documentation is mentioned that it can be optional.

@tale
Copy link
Owner

tale commented Jan 14, 2025

That is most likely a bug then, let me investigate and I'll get back to you.

@joedima
Copy link
Author

joedima commented Jan 14, 2025

If you want me to help you with testing, I would be glad.

Also, I will try to do the Authelia setup since with the latest updates, they added a new layer to AuthN/AuthZ. I will let you know what I find.

@RJDavison
Copy link

Is there any update to this? I'm having the exact same problem using Caddy with virtually the same config.

Requires ROOT_API_KEY even if you set this to false. Also cant get past the API key as it keeps saying that its invalid.

@chan-a
Copy link

chan-a commented Feb 2, 2025
edited
Loading

Same issue here. Here's my docker-compose.yml

  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - proxy_network

  headscale:
    image: headscale/headscale:stable
    volumes:
      - ./headscale/config:/etc/headscale
      - headscale-data:/var/lib/headscale
    expose:
      - "8080"
      - "9090"
    command: serve
    restart: unless-stopped
    networks:
      - proxy_network

  headplane:
    container_name: headplane
    image: ghcr.io/tale/headplane:latest
    restart: unless-stopped
    volumes:
      - ./headscale/config:/etc/headscale
      - headscale-data:/var/lib/headscale
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    environment:
      # This is always required for Headplane to work
      COOKIE_SECRET: 'asdfsadifasdoifbasdiof'
      HEADSCALE_INTEGRATION: 'docker'
      HEADSCALE_CONTAINER: 'headscale'
      DISABLE_API_KEY_LOGIN: 'true'
      HOST: '0.0.0.0'
      PORT: '3000'
      ROOT_API_KEY: 'abcd'
    networks:
      - proxy_network

And caddy file

mydomain {
    reverse_proxy headscale:8080
    encode gzip
}

Note that I did manage to get it to run with the "basic" configuration, note the docker integration has all been commented out

  headplane:
    container_name: headplane
    image: ghcr.io/tale/headplane:latest
    restart: unless-stopped
    # volumes:
    #   - ./headscale/config:/etc/headscale
    #   - headscale-data:/var/lib/headscale
    #   - '/var/run/docker.sock:/var/run/docker.sock:ro'
    # ports:
    #   - '3000:3000'
    environment:
      HEADSCALE_URL: 'http://headscale:8080'
      COOKIE_SECRET: 'asdfsadifasdoifbasdiof'
      # HEADSCALE_INTEGRATION: 'docker'
      # HEADSCALE_CONTAINER: 'headscale'
      DISABLE_API_KEY_LOGIN: 'true'
      HOST: '0.0.0.0'
      PORT: '3000'
      ROOT_API_KEY: 'abcd'
    networks:
      - proxy_network

@RJDavison
Copy link

What worked for me was to add a propert API_KEY despite the config instructions saying that its not needed and having the DISABLE_API_KEY_LOGIN set to true.

ROOT_API_KEY: 'zabcdefghijklmnopqrstuvwxyz'

@GraphicHamster
Copy link

I've also been struggling to get headplane to even launch (docker)
I can confirm that giving it some gibberish for ROOT_API_KEY got it to launch

@tale
Copy link
Owner

tale commented Feb 2, 2025

ROOT_API_KEY needs to be a valid Headplane generated key.

@tale tale closed this as completed Feb 2, 2025
@tale tale reopened this Feb 2, 2025
@zmweske
Copy link

zmweske commented Feb 10, 2025
edited
Loading

Does the API key need to be an api key for your oidc provider or a preauth key for your headscale server?

EDIT: It seems to be a headscale apikeys create product

@RJDavison
Copy link

RJDavison commented Feb 10, 2025 via email

@Herve-M
Copy link

Herve-M commented Feb 10, 2025

The headscale server. Just make sure you create it with a long expiry.

According to the doc. ROOT_API_KEY is related to OIDC provider, not headscale,. Maybe it should be updated?

@tale
Copy link
Owner

tale commented Feb 10, 2025

Yes the docs are bad, and I will fix them.

@wx2020
Copy link

wx2020 commented Feb 11, 2025

@tale By the way, can you provide an example of a configuration file in the docs when using nginx or caddy as a front proxy? Because I didn't find it anywhere. Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@RJDavison @Herve-M @chan-a @zmweske @wx2020 @tale @GraphicHamster @joedima