[Support]: EKS nginx ingress with multiple servers getting No valid authentication in request
liormaran opened this issue · 0 comments
OAuth2-Proxy Version
7.6.0
Provider
adfs
Current Behaviour of your Problem
We have an EKS cluster running with nginx controller 1.10 with several different ingresses. We want to introduce oauth2_proxy to authenticate our users when they access one of the ingresses but then let them pass to all the others with the same session.
Currently we made it to work on one application but as soon as this application tries to connect to another on the backend, we get a 401 from oauth2 with "No valid authentication in request. Access Denied."
Both connections (to application A and B) are being handled by the browser, althought the second one is in the background.
What we see on the browser side is that when the connection gets established to application B we don't have any session cookie in the headers.
Thanks in advance!
Configuration details or additional information
These are the config files.
oauth2.cfg:
acr_values = ""
allow_query_semicolons = false
approval_prompt = "force"
client_id = sdfsfsdf
client_secret = dfsfsfd
cookie_name = "_oauth2_proxy_xxxxx"
cookie_secret = fsdfssdfs
cookie_domains = [ ".{{ .Values.zone }}", "oauth2-proxy.ingress.svc.cluster.local" ]
cookie_expire = "8h"
cookie_refresh = "0"
cookie_secure = false # new was true
cookie_httponly = true
cookie_samesite = "lax" # cross site validation
code_challenge_method = "S256"
email_domains = {{ toJson .Values.emailDomains }}
encode_state = false
banner = "-"
footer = "-"
force_json_errors = true
flush_interval = "1s"
insecure_oidc_allow_unverified_email = false
insecure_oidc_skip_issuer_verification = false
insecure_oidc_skip_nonce = true
oidc_issuer_url = "https://oauth.id.jumpcloud.com/"
oidc_email_claim = "email"
oidc_groups_claim = "groups"
oidc_audience_claims = ["aud"]
oidc_extra_audiences = []
prefer_email_to_user = false
use_system_trust_store = false
skip_claims_from_profile_url = false
pass_access_token = true # new was false
pass_authorization_header = true # new was false
pass_user_headers = true # new
pass_host_header = true # new
prompt = ""
provider = "oidc"
ping_path = "/ping"
ping_user_agent = ""
ready_path = "/ready"
proxy_prefix = "/"
proxy_websockets = true
real_client_ip_header = "X-Real-IP"
redirect_url = "https://auth.{{ .Values.zone }}/callback"
silence_ping_logging = true
logging_local_time = false
auth_logging = true
request_logging = true
standard_logging = true
reverse_proxy = true
# allowed_groups = ["*"]
scope = "openid email" # groups
session_cookie_minimal = false # new was true
session_store_type = "redis" # new was "cookie"
redis_connection_url = "redis://redis-server:6379/7"
set_xauthrequest = false # new
set_authorization_header = false # new
set_basic_auth = false
skip_auth_preflight = false
skip_jwt_bearer_tokens = false
skip_auth_strip_headers = true
skip_oidc_discovery = false
skip_provider_button = true
show_debug_on_error = false
ssl_insecure_skip_verify = false
ssl_upstream_insecure_skip_verify = false
tls_min_version = "TLS1.2"
upstreams = ["static://202"]
upstream_timeout = "30s"
whitelist_domains = [ ".{{ .Values.zone }}"]
auth nginx:
## start server auth.stage.outfittery.io
server {
server_name auth.stage.xxxxx.io ;
http2 on;
listen 80 proxy_protocol ;
listen [::]:80 proxy_protocol ;
listen 443 proxy_protocol ssl;
listen [::]:443 proxy_protocol ssl;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
# Custom code snippet configured for host auth.stage.xxxxx.io
## Allow preflight requests (with origin set) to go through unauthenticated
set $PF "";
if ($request_method = 'OPTIONS') {
set $PF O;
}
if ($http_origin) {
set $PF "${PF}O";
}
if ($PF = OO) {
return 204;
}
location / {
set $namespace "ingress";
set $ingress_name "oauth2-proxy";
set $service_name "oauth2-proxy";
set $service_port "80";
set $location_path "/";
set $global_rate_limit_exceeding n;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
force_no_ssl_redirect = false,
preserve_trailing_slash = false,
use_port_in_redirects = false,
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "ingress-oauth2-proxy-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $proxy_protocol_server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 1m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Forwarded-Scheme $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
# Custom code snippet configured in the configuration configmap
opentracing_propagate_context;
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
EKS ingress config, both have several config:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ps-app-logmein
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://auth.stage.xxxxxxx.io/start?rd=https:%2F%2F$host$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.ingress.svc.cluster.local/auth
nginx.ingress.kubernetes.io/auth-cache-key: '__Secure-LWIzAmNZX4odLxjLaY8NoghOE2ubKnje'
nginx.ingress.kubernetes.io/auth-cache-duration: "202 401 3s"
nginx.ingress.kubernetes.io/server-snippet: |
add_header X-Cache-Status $upstream_cache_status always;
ingress.kubernetes.io/proxy-buffering: "on"
ingress.kubernetes.io/client-body-buffer-size: "12M"
ingress.kubernetes.io/client-max-body-size: "12M"
ingress.kubernetes.io/proxy-buffer-size: "12M"
ingress.kubernetes.io/proxy-buffers-number: "8"
ingress.kubernetes.io/proxy-body-size: "8M"
nginx.ingress.kubernetes.io/limit-connections: "100"
nginx.ingress.kubernetes.io/limit-rps: "100"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
spec:
ingressClassName: private
tls:
- hosts:
- A.stage.xxxxxxx.io
rules:
- host: A.stage.xxxxx.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ps-app-logmein
port:
number: 80
Steps To Reproduce
No response