Comments (6)
ploxiln
commented on June 1, 2024
Most arbitrary headers are passed through. Content-Length is handled specially by the Go http client which is used by the Go reverse proxy. Here's the relevant bit:
https://golang.org/src/net/http/transfer.go#L260
For a GET request, Content-Length: 0 is implied, and it considers it not needed.
from oauth2-proxy.
artyomtkachenko
commented on June 1, 2024
I am facing exactly the same issue with Kibana. @Ghazgkull have you found any workaround for it?
--skip-auth-regex trick works fine for me, but I am looking for something more secure.
from oauth2-proxy.
Ghazgkull
commented on June 1, 2024
@artyomtkachenko Yeah, since it sounds like oauth2_proxy isn't usable as an actual proxy, I've gone the route of setting up a simple nginx deployment/service/configmap which I use as the proxy in front of Kibana. oauth2_proxy is then configured only to perform authentication for the nginx service using the auth-request module as explained in the README.md of this repo.
It's working fine and now I'm just going through the process of figuring out how to package the pieces for reuse. I'm currently consuming oauth2_proxy via the stable helm chart. So I'm thinking I might be able to package everything up as a new chart which consumes the oauth2_proxy chart as a dependency (sub chart).
I'll post back here if I'm able to get such a thing packaged up. Totally new to helm though, so...
from oauth2-proxy.
Ghazgkull
commented on June 1, 2024
@artyomtkachenko In case it helps, here's where I'm at with my nginx.yaml. Notice that a couple parts are hard-coded to my setup currently. I'm running Kibana behind an istio gateway under the /logs route, which is why you'll see that path segment in the URLs. And the hostnames are specific to my k8s service names:
---
apiVersion: v1
kind: Service
metadata:
name: nginx-auth-proxy
labels:
app: nginx-auth-proxy
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: nginx-auth-proxy
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: nginx-auth-proxy
labels:
app: nginx-auth-proxy
spec:
replicas: 1
selector:
matchLabels:
app: nginx-auth-proxy
template:
metadata:
labels:
app: nginx-auth-proxy
spec:
containers:
- name: nginx-auth-proxy
image: nginx
imagePullPolicy: IfNotPresent
volumeMounts:
- name: auth-proxy-config
mountPath: /etc/nginx/conf.d/default.conf
subPath: auth-proxy.conf
ports:
- containerPort: 80
name: http
protocol: TCP
volumes:
- name: auth-proxy-config
configMap:
name: nginx-auth-proxy-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-auth-proxy-config
data:
auth-proxy.conf: |
server {
listen 80 default_server;
server_name _;
error_log /dev/stdout debug;
access_log /dev/stdout;
location /logs/oauth2 {
proxy_pass http://oauth2-proxy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /logs/oauth2/auth {
proxy_pass http://oauth2-proxy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location /logs {
auth_request /logs/oauth2/auth;
error_page 401 = /logs/oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_pass http://kibana:443;
}
}
from oauth2-proxy.
artyomtkachenko
commented on June 1, 2024
Thank you very much for sharing your thoughts @Ghazgkull .
I am planning to go the same way. I also found this blog post , where it was solved with an ingress object, but it is a bit different to the Istio approach.
from oauth2-proxy.
github-actions
commented on June 1, 2024
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Related Issues (20)
- OAuth2Proxy token exchange failed x509: unhandled critical extension HOT 2
- Suggestion: Document that it's possible to use $best_http_host$escaped_request_uri with the Docker offering too HOT 1
- Dex + OAuth2_Proxy + Github - Question, help needed HOT 1
- Unable to create API Authentication using Istio Ingress Gateway, OAuth2-Proxy and Keycloak HOT 1
- Documentation is incorrect for 'OAUTH2_PROXY_UPSTREAMS' environment variable HOT 2
- Vulnerabilities in `golang.org/x/net v0.8.0`, `google.golang.org/grpc v1.53.0`, `github.com/go-jose/go-jose/v3 v3.0.0`, `gopkg.in/square/go-jose.v2 v2.6.0` HOT 5
- /ping doesn't return 200 - returns a 404 HOT 3
- SSO Issue with OAuth2 Proxy for Angular Frontend and API Gateway HOT 1
- oauth2-proxy issues with NLB + ALB setup in EKS cluster HOT 1
- Traefik/Keycloak gives "Unauthorized" HOT 2
- Keycloak - Network response was not OK. HOT 8
- Variabilize redirect URI HOT 4
- 400 Error for app behind nginx HOT 7
- Support verification of the `hd` parameter for Google HOT 5
- Problem running with Keycloak in docker-compose.yml HOT 1
- [QUESTION] The ingress-nginx configuration-snippet annotations have already been deprecated, but the oauth2-proxy documentation has not been updated. HOT 4
- Get error responses from API without modification by OAuth2 Proxy HOT 2
- `Dockerfile`: `/etc/nsswitch.conf` workaround no longer necessary HOT 3
- `/oauth2/sign_out` end point should redirect the user to the providers `end_session_endpoint` by default HOT 3
- Cookie-secret is mandatory with redis session storage HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.