Enabling oauth2-proxy authentication via auth_request directive fails due to proxy_pass before include directive in server.location blocks #2486

davidparks21 · 2024-06-25T19:23:54Z

davidparks21
Jun 25, 2024

Our Setup:

We have nginx-proxy configured and working in our environment, including letsencrypt SSL cert generation.
I now want to add authentication via oauth2-proxy service.
We have the oauth2-proxy service configured and working successfully.
The oauth2-proxy service is a virtual host under nginx-proxy called auth.braingeneers.gi.ucsc.edu.

We believe the best setup is to use the nginx auth_request directive to authorize requests through oauth2-proxy before proxying to the internal docker service.

However, when we define auth_request in /etc/nginx/vhost.d/default_location, it shows up in the server.location block after the dynamically generated proxy_pass directive, and is ignored. Here's what we see from nginx -T for a simple test web service whoami.

server {
    server_name whoami.braingeneers.gi.ucsc.edu;
    access_log /var/log/nginx/access.log vhost;
    http2 on;
    listen 443 ssl ;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/whoami.braingeneers.gi.ucsc.edu.crt;
    ssl_certificate_key /etc/nginx/certs/whoami.braingeneers.gi.ucsc.edu.key;
    ssl_dhparam /etc/nginx/certs/whoami.braingeneers.gi.ucsc.edu.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/whoami.braingeneers.gi.ucsc.edu.chain.pem;
    set $sts_header "";
    if ($https) {
        set $sts_header "max-age=31536000";
    }
    add_header Strict-Transport-Security $sts_header always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://whoami.braingeneers.gi.ucsc.edu;
        set $upstream_keepalive false;
        include /etc/nginx/vhost.d/default_location;
    }
}

I notice that the include of default_location comes after proxy_pass, and when I configure this, no request is made to oauth2-proxy. I'm at least 80% certain that the proxy_pass directive is superseding the auth_request directive since nginx processes directives in order of appearance.

Are there any solutions here? Is there a way to reorder the dynamically generated location block perhaps?

Answered by SchoNie

Jun 26, 2024

I do not have experience with ngx_http_auth_request_module so maybe I am wrong but I read in the docs: Context: http, server, location
So would it be an idea to include it in the server directive instead of the location of your whoami vhost? That comes before location with the proxy_pass.
In the template that is: Line 872

You can do that per virtual host or as default

Are you getting any output from nginx? If something is wrong with the generated config it should alert on the console.
Try to start the container not detached but in foreground. Or fetch the logs sudo docker logs nginx-proxy

View full answer

davidparks21 · 2024-06-25T21:24:11Z

davidparks21
Jun 25, 2024
Author

I've also attempted to configure a two nginx-proxy solution where I have nginx-proxy-frontend terminate SSL and forward all traffic through oauth2-proxy and a nginx-proxy-backend that handles routing to services. But that encounters a similar issue - I can't find a way to override the server.location blocks to force the traffic through oauth2-proxy. /etc/nginx/vhost.d/default doesn't let me create a duplicate location block and /etc/nginx/vhost.d/default_location comes after the proxy_pass directive.

I've been playing with re-writing the https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl template to allow me to rewrite the server.location blocks, but nothing I tried passed the smell test.

0 replies

SchoNie · 2024-06-26T08:31:29Z

SchoNie
Jun 26, 2024

I do not have experience with ngx_http_auth_request_module so maybe I am wrong but I read in the docs: Context: http, server, location
So would it be an idea to include it in the server directive instead of the location of your whoami vhost? That comes before location with the proxy_pass.
In the template that is: Line 872

You can do that per virtual host or as default

Are you getting any output from nginx? If something is wrong with the generated config it should alert on the console.
Try to start the container not detached but in foreground. Or fetch the logs sudo docker logs nginx-proxy

1 reply

davidparks21 Jul 3, 2024
Author

Thanks for the reply @SchoNie , that was very helpful. I finally recognized that the auth_request directive can go in default and it will be processed correctly, making an auth check to oauth2 and redirecting on 401 response for forwarding on 20x response. There was a confounding issue that I incorrectly believed was related to order of processing directives in nginx. After resolving that I got it working successfully. Your response was very helpful in keeping me out of the rabbit holes.

dens-al · 2024-11-05T15:30:18Z

dens-al
Nov 5, 2024

I was implementing the same architecture and faced the same issue. My solution was to create default file with

  location /oauth2/ {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-Uri  $request_uri;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

and default_location file with

auth_request /oauth2/auth;
error_page 401 =403 /oauth2/sign_in;

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enabling oauth2-proxy authentication via auth_request directive fails due to proxy_pass before include directive in server.location blocks #2486

{{title}}

Replies: 3 comments 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Enabling oauth2-proxy authentication via auth_request directive fails due to proxy_pass before include directive in server.location blocks #2486

davidparks21 Jun 25, 2024

Replies: 3 comments · 1 reply

davidparks21 Jun 25, 2024 Author

SchoNie Jun 26, 2024

davidparks21 Jul 3, 2024 Author

dens-al Nov 5, 2024

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

davidparks21
Jun 25, 2024

Replies: 3 comments 1 reply

davidparks21
Jun 25, 2024
Author

SchoNie
Jun 26, 2024

davidparks21 Jul 3, 2024
Author

dens-al
Nov 5, 2024