Cannot manage instances via domain that is using Cloudflare

  • 497 Views
  • Last Post 19 August 2019
  • Topic Is Solved
TMAC_Kratos posted this 01 August 2019

Good Afternoon,

OS Name/Version: Microsoft Windows 10 / 1803

Product Name/Version: AMP / 1.8.3.2

Problem Description: Using cloudflare as my DNS service, however when there http proxy is enabled on the domain pointing to the ip where AMP is located it allows me to login, however will not allow me to manage my instances. Gives me the following error when logining in:

[18:56:17] [GSMyAdmin:kratos Activity] : Authentication success [18:56:18] [GSMyAdmin Warning]    : xxx.xxx.x.x tried to use session ID ce42fc10-cd48-4adb-a671-51d79a66d79a - but that session belongs to xxx.xxx.x.x [18:56:18] [GSMyAdmin Warning]    : xxx.xxx.x.x tried to use session ID ce42fc10-cd48-4adb-a671-51d79a66d79a - but that session belongs to xxx.xxx.x.x [18:56:18] [GSMyAdmin:Anonymous Warning] : Access denied: You do not have permission to use this method (WebMethods.GetInstances) at this time. This method requires the Session.Exists permission. (Origin: xxx.xxx.x.x)

Actions taken to resolve so far:

I have attempted to find information on how to properly set up AMP with a Proxy and cannot find any information, in a luck of hope i tried setting up that i was using a reverse proxy within the conf files but still no luck.

Mostly just need further detail on how to set up amp to use cloudflare. thank you.

Order By: Standard | Newest | Votes
Mike posted this 02 August 2019

Did you run the AMP setup wizard in ADS before or after setting up the reverse proxy?

TMAC_Kratos posted this 02 August 2019

I did set up ADS before getting cloudflare. This was a more recent set up I've been trying.

Mike posted this 02 August 2019

You need to do it the other way around, or ADS won't know what its domain is and all of the configuration will be wrong.

TMAC_Kratos posted this 02 August 2019

So i got it to pass the domain to ADS by a reinstall. However I had to disable the http proxy just for it to allow ADS to start the Setup. The domain works successfully without the http proxy enabled. When I re-enable the http proxy I get the session must exist error still. I tried setting the setting in ADS for that I was using a reverse proxy, but still no luck.

Mike posted this 05 August 2019

Did you remove the instances first? If not they still all have bad configurations.

TMAC_Kratos posted this 06 August 2019

Yes, that's actually what I meant by a reinstall. I did a full reinstall of amp. Could very well be that i'm setting the settings wrong for the reverse proxy settings within amp.

Mike posted this 06 August 2019

The reverse proxy settings don't really affect much. The important thing is that the auth server URL is valid and that the instances can use that URL to reach ADS

TMAC_Kratos posted this 06 August 2019

in that case im at a complete loss. Literally i purge all cache from cloudflare, empty my browser cache when i login in i just get that session must exist. here is a picture of what amp looks like when i open it in the browser with this issue. This is on another fresh install and the setup wizard does not start.

https://imgur.com/a/c1QY5of

Mike posted this 06 August 2019

Remove the ADSModule.kvp file and restart the instance.

TMAC_Kratos posted this 06 August 2019

Once in a while after restarting a few times i can get the setup to start (Deleting that file had no effect) but its almost like the times i do manage to get the setup to start then it auto logs me back out to the login screen.

TMAC_Kratos posted this 06 August 2019

Managed to also get a new error to pop up during the login process other that the session.exist error. If i do click remember me it ends up stating the token is rejected for the user. This is after deleting that file and restarting the instance.

TMAC_Kratos posted this 17 August 2019

Bump.....

Mike posted this 17 August 2019

Dropping in the details of the error would be helpful :)

TMAC_Kratos posted this 18 August 2019

Still the exact same error with the session must exist and once in a while token rejected as stated above currently have the domain proxy disabled and have it set up but that exposes my ip. As stated before as well since the proxy is disabled in Cloudflare i was able to get the setup to run so the authentication settings are correct already pointing to the domain. Any time I reenable the http proxy it runs into the same errors. and can not use the web interface.

Mike posted this 18 August 2019

Does the URL that's used for the auth server remain valid? The issue is that the individual instances themselves need to be able to communicate with ADS in order to authenticate. This is why ideally you should setup any reverse proxies before running the first time setup.

TMAC_Kratos posted this 18 August 2019

Yes the url remains valid, the problem is when i have the proxy running it sends me back to the login before i can even select any options in the setup if the set up runs at all. Most of the time though the set up wont start at all when the proxy is active.

Mike posted this 18 August 2019

You need to be much more specific when you say the setup won't start. What actually happens instead then? At what point are you being sent back to the login?

TMAC_Kratos posted this 18 August 2019

That's the thing it most of the time immediately logs me out which is why I can't select any options in the setup. Before I can click one setting when the setup pops up it logs me out automatically.

Mike posted this 19 August 2019

Add this line to AMPConfig.conf:

Login.AllowInsecureMatching=True

And see if that lets the setup run.

TMAC_Kratos posted this 19 August 2019

It did allow the setup to run and everything, I'm assuming its a bad idea to keep allowing for insecure matching?

When I reset it to false I get the same session exists error even after the setup is complete.

If it not a big deal to keep it as true then the issue is pretty much fixed.

Mike posted this 19 August 2019

What insecure matching does is not insist that sessions persist their IP address between requests. It's not necessarily a bad thing but the default protects against certain types of session stealing on insecure networks. My guess is that CloudFlare is using a different source IP for each request which confuses AMP.

TMAC_Kratos posted this 19 August 2019

Thank you for getting this solved for me.

Close