ACL Tab returns 401

[Ginja]

EDIT:

Digging into this a little bit further, it seems Chrome is re-prompting because the ACL tab returns a 401 which immediately invalidates any cached credentials.

https://code.google.com/p/chromium/issues/detail?id=72589

Could the response code be changed for the ACL page to possibly something like 403 so certain browsers won't re-prompt for authentication?

---

I don't think this issue with Consul per-se, but I thought I would raise the issue here just in-case someone has a suggestion or has resolved this already. I've configured NGINX to proxy_pass for both /ui, & /v1/ to my Consul servers, and I've configured nginx-auth-ldap for AD authentication. Everything is working fine, but after I authenticate in Chrome, I get re-prompted to authenticate after I click through several tabs (e.g. Services->Nodes->ACL->DC->Re-Authentication Window). I do not get this issue in Firefox. Would anyone know why? Below are my NGINX proxy_pass configs, the issue I raised on the nginx-auth-ldap repo, and the access logs from this type of event in Chrome & Firefox:

If more information is required please let me know. Thanks in advance!

kvspb/nginx-auth-ldap#106

upstream consul {
  server 172.20.20.10:8500 max_fails=3 fail_timeout=60;
  server 172.20.20.11:8500 backup max_fails=3 fail_timeout=60;
  server 172.20.20.12:8500 backup max_fails=3 fail_timeout=60;
}

server {
  listen         80 default_server;
  server_name    consul-nginx-centos6;
  return         301 https://$server_name$request_uri;
}

server {
  listen 443 ssl default_server;

  server_name    consul-nginx-centos6;

  auth_ldap "Please enter your DOMAIN credentials";
  auth_ldap_servers dc01;
  auth_ldap_servers dc02;

  ssl on;
  ssl_certificate /etc/nginx/ssl/server.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  location / {
    proxy_pass http://consul/ui/;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
  }

  location /v1/ {
    proxy_pass http://consul/v1/;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
  }

  access_log /var/log/nginx/consul_access.log;
  error_log  /var/log/nginx/consul_error.log error;
}

You can see from below that it drops the $remote_user header when I make that last request in Chrome.

###
# Chrome - Username redacted
###
10.0.2.2 - [username] [19/Nov/2015:16:22:49 +0000] "GET /v1/internal/ui/nodes?dc=kitchen&token= HTTP/1.1" 200 1565 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
10.0.2.2 - [username] [19/Nov/2015:16:22:50 +0000] "GET /v1/internal/ui/services?dc=kitchen&token= HTTP/1.1" 200 165 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
10.0.2.2 - [username] [19/Nov/2015:16:22:52 +0000] "GET /v1/acl/list?dc=kitchen&token= HTTP/1.1" 401 20 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
10.0.2.2 - - [19/Nov/2015:16:22:54 +0000] "GET /v1/internal/ui/services?dc=kitchen&token= HTTP/1.1" 401 596 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"

###
# Firefox - Username redacted
###
10.0.2.2 - [username] [19/Nov/2015:16:36:44 +0000] "GET /v1/internal/ui/nodes?dc=kitchen&token= HTTP/1.1" 200 1565 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0"
10.0.2.2 - [username] [19/Nov/2015:16:36:51 +0000] "GET /v1/internal/ui/services?dc=kitchen&token= HTTP/1.1" 200 165 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0"
10.0.2.2 - [username] [19/Nov/2015:16:36:53 +0000] "GET /v1/acl/list?dc=kitchen&token= HTTP/1.1" 401 20 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0"
10.0.2.2 - [username] [19/Nov/2015:16:36:55 +0000] "GET /v1/internal/ui/services?dc=kitchen&token= HTTP/1.1" 200 165 "https://127.0.0.1:8443/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0"

[Ginja]

For anyone running into the same issue, I've got a workaround. It's basically using NGINX to step out in front of the /v1/acl/ location and intercept any 401 error and change it to 403.

  location /v1/acl/ {
    proxy_pass http://consul/v1/acl/;
    proxy_intercept_errors on;
    error_page 401 =403 /;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
  }

[slackpad]

Closing this out as I don't think there's any work to do on the Consul side, other than #2370.

[zopar]

Sorry but I think this issue should be reopened
#2370 is related to acl and token
This issue is related to 401 of ACL page when you do not use ACL.
As described by @Ginja 401 cause to reinsert credentials every time you call the ACL page.
ACL should return a different code. I think the best is 200 for the webpage and should be the webpage that manage if ACL is enabled or not and related messages.