Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

external-auth with oauth2-proxy stopped working #1429

Closed
krogon-dp opened this issue Sep 27, 2017 · 8 comments · Fixed by #1435
Closed

external-auth with oauth2-proxy stopped working #1429

krogon-dp opened this issue Sep 27, 2017 · 8 comments · Fixed by #1435

Comments

@krogon-dp
Copy link

Introduced with this change #1189 in version nginx 0.9-beta.12 breaks oauth2-proxy external authentication feature (https://github.com/kubernetes/ingress/tree/master/examples/auth/external-auth/nginx).

OAuth2-proxy after successfull authorization redirects again to login page. Details in below issue from their project: bitly/oauth2_proxy#456
@krogon-dp krogon-dp mentioned this issue Sep 27, 2017
Closed
@aledbf
Copy link
Member

aledbf commented Sep 28, 2017
edited
Loading

@krogon-dp please test quay.io/aledbf/nginx-ingress-controller:0.236

@aledbf aledbf mentioned this issue Sep 28, 2017
Merged
@fengmao
Copy link

fengmao commented Sep 29, 2017

same problem here, and quay.io/aledbf/nginx-ingress-controller:0.236 fails with error unknown flag: --nginx-configmap

@aledbf
Copy link
Member

aledbf commented Sep 29, 2017

@fengmao that flag is deprecated. Please use --configmap

@fengmao
Copy link

fengmao commented Sep 29, 2017

use helm, it seems need to change helm's nginx-ingress template file, thanks

@fengmao
Copy link

fengmao commented Sep 30, 2017

@aledbf changed image to quay.io/aledbf/nginx-ingress-controller:0.236 and fix nginx-configmap with --configmap, but get this error

-------------------------------------------------------------------------------
W0930 00:51:45.916212      13 queue.go:113] requeuing default/oauth2-proxy, err
-------------------------------------------------------------------------------
Error: exit status 1
2017/09/30 00:51:45 [emerg] 49#49: unknown "location" variable
nginx: [emerg] unknown "location" variable
nginx: configuration file /tmp/nginx-cfg456472324 test failed

-------------------------------------------------------------------------------

@kinghrothgar
Copy link
Contributor

I am currently having this issue using quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.10.1 and an image using the latest release of oauth2_proxy (v2.2).

My ingress annotations for the service I am trying to auth:

    nginx.ingress.kubernetes.io/auth-signin: https://hello.levenlabs.com/oauth2/sign_in
    nginx.ingress.kubernetes.io/auth-url: http://hello-oauth2-proxy.production.svc.cluster.local:4180/oauth2/auth

I tried to follow the conversation here bitly/oauth2_proxy#456, but all the oauth2_proxy PRs I can find connected this issue (which there are many....) are either closed or still open. Any pointers on how to fix this issue?

@aledbf
Copy link
Member

aledbf commented Jan 24, 2018
edited
Loading

@kinghrothgar this works fine if the auth-signin and auth-url are on the same host than the ingress rule.

@kinghrothgar
Copy link
Contributor

That's the first thing I tried. That is broken because ingress-nginx tries to use an IPv6 address which doesn't work on GCE:

72.196.96.97 - [72.196.96.97] - - [25/Jan/2018:00:01:51 +0000] "GET / HTTP/1.1" 403 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" 0 0.065 [external-authentication] 104.27.183.226:443 0 0.064 403
72.196.96.97 - [72.196.96.97] - - [25/Jan/2018:00:01:51 +0000] "GET / HTTP/1.1" 403 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" 751 0.065 [external-authentication] - - - -
2018/01/25 00:01:51 [error] 62#62: *3558 connect() to [2400:cb00:2048:1::681b:b6e2]:443 failed (101: Network is unreachable) while connecting to upstream, client: 72.196.96.97, server: hello.levenlabs.com, request: "GET /favicon.ico HTTP/1.1", subrequest: "/_external-auth-Lw", upstream: "https://[2400:cb00:2048:1::681b:b6e2]:443/oauth2/auth", host: "hello.levenlabs.com", referrer: "https://hello.levenlabs.com/"
2018/01/25 00:01:51 [warn] 62#62: *3558 upstream server temporarily disabled while connecting to upstream, client: 72.196.96.97, server: hello.levenlabs.com, request: "GET /favicon.ico HTTP/1.1", subrequest: "/_external-auth-Lw", upstream: "https://[2400:cb00:2048:1::681b:b6e2]:443/oauth2/auth", host: "hello.levenlabs.com", referrer: "https://hello.levenlabs.com/"
72.196.96.97 - [72.196.96.97] - - [25/Jan/2018:00:01:51 +0000] "GET /favicon.ico HTTP/1.1" 403 0 "https://hello.levenlabs.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" 0 0.073 [external-authentication] [2400:cb00:2048:1::681b:b6e2]:443, 104.27.182.226:443 0, 0 0.000, 0.073 502, 403
72.196.96.97 - [72.196.96.97] - - [25/Jan/2018:00:01:51 +0000] "GET /favicon.ico HTTP/1.1" 403 197 "https://hello.levenlabs.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" 697 0.073 [external-authentication] - - - -

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add header to upstream server for external authentication aledbf/ingress-nginx
4 participants
@aledbf @kinghrothgar @krogon-dp @fengmao