Signin loop on admin panel through public url

Hi,

I’m having an issue connecting to my admin pannel, it works perfectly using localhost from my container (Cloudfront → AWS ALB → AWS EKS) in a port-porfward (http://localhost:42280). However i can’t go past the signin on the /blog/ghost url. It keeps redirecting me to to same signing page.

Screenshot 2023-03-14 at 16.06.101146×802 43.6 KB

I used the following env variable:

        - name: url
          value: http://example.com/blog

The admin url is just the default one with /ghost/ at the end so according to the doc i don’t have to set an admin__url environment variable in the container.

Here are the logs from the container:

[2023-03-14 15:11:32] INFO "GET /blog/" 200 156ms
[2023-03-14 15:11:33] INFO "GET /blog/assets/built/screen.css?v=97f3ff6d7f" 200 12ms
[2023-03-14 15:11:33] INFO "GET /blog/public/cards.min.css?v=97f3ff6d7f" 200 14ms
[2023-03-14 15:11:33] INFO "GET /blog/public/member-attribution.min.js?v=97f3ff6d7f" 200 2ms
[2023-03-14 15:11:33] INFO "GET /blog/assets/built/main.min.js?v=97f3ff6d7f" 200 5ms
[2023-03-14 15:11:33] INFO "GET /blog/public/cards.min.js?v=97f3ff6d7f" 200 1ms
[2023-03-14 15:11:38] INFO "GET /blog/ghost" 301 1ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/" 200 14ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/chunk.143.c6802c882a911797ce4f.js" 200 25ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/vendor-3e6947aa681f0fb82b193090e520dc73.css" 200 55ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/videos/logo-loader.mp4" 206 48ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/ghost-a9307c9cfe26a4bc621e02cd3bae421a.css" 200 156ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/ghost-35103ff053c43f1dfa7f35821c3c2412.js" 200 351ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/vendor-b982e3bf1020bff77b2a3c44d5f59e55.js" 200 448ms
[2023-03-14 15:11:39] INFO "GET /blog/ghost/assets/chunk.220.9ca2950240aba3fced21.js" 200 454ms
[2023-03-14 15:11:40] ERROR "GET /blog/ghost/api/admin/users/me/?include=roles" 403 2ms


Authorization failed


"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Error ID:
    859c3900-c27a-11ed-b751-27f6603ea215

----------------------------------------

NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.38.0/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/route.js:144:13)
    at authenticate (/var/lib/ghost/versions/5.38.0/core/server/services/auth/session/middleware.js:28:13)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

[2023-03-14 15:11:40] INFO "GET /blog/ghost/assets/img/favicon-a9c6dbdcdc3ae568f4e0dad92149a0e3.ico" 200 2ms
[2023-03-14 15:11:40] INFO "GET /blog/ghost/api/admin/site/" 200 2ms
[2023-03-14 15:11:41] INFO "GET /blog/ghost/api/admin/site/" 200 2ms
[2023-03-14 15:11:41] INFO "GET /blog/ghost/api/admin/authentication/setup/" 200 20ms
[2023-03-14 15:11:41] INFO "GET /blog/ghost/assets/fonts/Inter-e19174fb2c0e19b1fa67492a07886c75.ttf" 200 70ms
[2023-03-14 15:11:54] INFO "POST /blog/ghost/api/admin/session" 201 548ms
[2023-03-14 15:11:54] INFO "DELETE /blog/ghost/api/admin/session" 204 15ms
[2023-03-14 15:11:54] ERROR "GET /blog/ghost/api/admin/config/" 403 5ms

Authorization failed

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Error ID:
    8e53f920-c27a-11ed-b751-27f6603ea215

----------------------------------------

NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.38.0/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/route.js:144:13)
    at authenticate (/var/lib/ghost/versions/5.38.0/core/server/services/auth/session/middleware.js:28:13)

[2023-03-14 15:11:54] ERROR "GET /blog/ghost/api/admin/settings/?group=site%2Ctheme%2Cprivate%2Cmembers%2Cportal%2Cnewsletter%2Cemail%2Camp%2Clabs%2Cslack%2Cunsplash%2Cviews%2Cfirstpromoter%2Ceditor%2Ccomments%2Canalytics" 403 7ms

Authorization failed

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Error ID:
    8e557fc0-c27a-11ed-b751-27f6603ea215

----------------------------------------

NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.38.0/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.38.0/node_modules/express/lib/router/route.js:144:13)
    at authenticate (/var/lib/ghost/versions/5.38.0/core/server/services/auth/session/middleware.js:28:13)
[2023-03-14 15:11:54] INFO "GET /blog/ghost/" 200 9ms
[2023-03-14 15:11:55] INFO "GET /blog/ghost/api/admin/site/" 200 1ms
[2023-03-14 15:11:55] INFO "GET /blog/ghost/api/admin/site/" 200 2ms
[2023-03-14 15:11:55] INFO "GET /blog/ghost/api/admin/authentication/setup/" 200 8ms

The error message "Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication." was also present using the localhost connection but did not impact the access to the admin panel.

Did someone had a similar issue and managed to fix it?

Thanks!

It seems my cloudfront configuration was at fault. On the specific behaviour related to the blog* path. Adding a Response Header Policy with a custom header CloudFront-Forwarded-Proto set to https did fix the issue

I’m also stuck on this Can you share the full Cloudfront configuration?