Hello everybody. I have an issue with Oathkeeper r...
# talk-oathkeeper
Hello everybody. I have an issue with Oathkeeper reverse proxy and I do not know how to solve it. I want to set a web application behind the Oathkeeper and everything is set and working. however when I deploy it with Nginx. I get some random 500 internal server error. when I remove Oathkeeper everything is OK and I do not know why. I am trying to set the outlook mail server and I am using the 4456 port from Oathkeeper. for authentication and authorization. It is not about authentication or authorization process I set them to noop and allow options. is there anything else that I should set before deploying my application with Nginx? I would appreciate it if you help me with this.
Could you help with the logs?
Hello. Could you please share oathkeeper’s logs? Also, it would be great to have some configuration files of your
. Consider removing any sensitive information.
thanks a lot.
of course
it seems everything is fine with oathkeeper
however when I am not using it everything is just fine
Hello. You have a typo in your access-rules under authenticators.
is correct way to write it. However, I assume there can be a bug somewhere else. Do you receive headers in your remote authorizer?
Anyway. I found that you send request using these encodings
Copy code
"accept-encoding":"gzip, deflate, br"
I assume that there can be a small bug with oathkeeper that it does not handle gzip responses from authenticators/authorizers. As a solution you can disable gzip/deflate encodings and check it.
thank you so much. I will check it out and let you know about the result. Thanks again
🙌 1
@User Hi Andrew. I have tried to disable this option on Ngnix when the request is redirected to oathkeeper. However, I would get this parameter on my request headers. is there any way to make sure that this header is disabled for oathkeeper servivce?
@User Hello. Does everything work fine with Nginx setup?
let me send you my Nginx config
server {
listen 443 ssl; ssl_certificate /etc/nginx/nginx.crt; ssl_certificate_key /etc/nginx/nginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH; ssl_prefer_server_ciphers on; charset utf-8; server_name mail.iap.hamimco.ir; location / { gzip off; aio threads; auth_request /auth; #auth_request_set $auth_status $upstream_status; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Authorization $http_authorization; add_header Access-Control-Allow-Origin "*"; keepalive_timeout 70s; proxy_set_header Accept-Encoding ""; proxy_http_version 1.1; proxy_pass https://upstream_server/; client_max_body_size 10240M; proxy_pass_header Server; proxy_redirect default; proxy_intercept_errors off; } location = /auth { gzip off; internal; aio threads; #client_max_body_size 2056M; #keepalive_timeout 70s; proxy_pass http://matching_url:4456/decisions/; # proxy_pass http://oathkeeper:4456/decisions/ proxy_pass_request_body off; #proxy_http_version 1.1; proxy_set_header X-Original-URI $request_uri; proxy_set_header Content-Length ""; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto $scheme; } }
I mean that the best way to have oathkeeper with Nginx is to configure nginx+oathkeeper with subrequest authentication. in that case, proxying traffic lays on the nginx side while oathkeeper is used as decision API
I see
if the config file is not clear I can send you the file instead of here
So you mean, it is not a good way to use it for all the subrequest ??
I built a couple of examples for nginx+oathkeeper setup. You can find them here and here The difference between them is that the second example uses hydrator mutator
No. I mean that it’s a best way to use subrequest
let me check your examples to make it for my self clear. Thank you so much again.
Hi @User. It turns out I had to increase the buffer size on Nginx because some of the request were so big to handle. Thank you so much for your help.
🙌 1