Hello everybody I have an issue with Oathkeeper reverse prox Ory Community #talk-oathkeeper

Hello everybody. I have an issue with Oathkeeper r...

salmon-article-80089

04/17/2022, 3:50 AM

Hello everybody. I have an issue with Oathkeeper reverse proxy and I do not know how to solve it. I want to set a web application behind the Oathkeeper and everything is set and working. however when I deploy it with Nginx. I get some random 500 internal server error. when I remove Oathkeeper everything is OK and I do not know why. I am trying to set the outlook mail server and I am using the 4456 port from Oathkeeper. for authentication and authorization. It is not about authentication or authorization process I set them to noop and allow options. is there anything else that I should set before deploying my application with Nginx? I would appreciate it if you help me with this.

sticky-guitar-94474

04/18/2022, 5:50 AM

Could you help with the logs?

damp-sunset-69236

04/18/2022, 6:28 AM

Hello. Could you please share oathkeeper’s logs? Also, it would be great to have some configuration files of your

access-rules

and

oathkeeper.yml

. Consider removing any sensitive information.

salmon-article-80089

04/18/2022, 7:57 AM

thanks a lot.

salmon-article-80089

04/18/2022, 7:57 AM

of course

salmon-article-80089

04/18/2022, 8:48 AM

logs.txt

salmon-article-80089

04/18/2022, 8:48 AM

sample_accessrule.yml

salmon-article-80089

04/18/2022, 8:48 AM

oathkeeper_config_sample.yml

salmon-article-80089

04/18/2022, 8:58 AM

it seems everything is fine with oathkeeper

salmon-article-80089

04/18/2022, 8:58 AM

however when I am not using it everything is just fine

damp-sunset-69236

04/19/2022, 6:44 AM

Hello. You have a typo in your access-rules under authenticators.

cookie_session

is correct way to write it. However, I assume there can be a bug somewhere else. Do you receive headers in your remote authorizer?

damp-sunset-69236

04/19/2022, 6:46 AM

Anyway. I found that you send request using these encodings

Copy code

"accept-encoding":"gzip, deflate, br"

I assume that there can be a small bug with oathkeeper that it does not handle gzip responses from authenticators/authorizers. As a solution you can disable gzip/deflate encodings and check it.

salmon-article-80089

04/19/2022, 7:11 AM

thank you so much. I will check it out and let you know about the result. Thanks again

🙌 1

salmon-article-80089

04/24/2022, 4:12 AM

@User Hi Andrew. I have tried to disable this option on Ngnix when the request is redirected to oathkeeper. However, I would get this parameter on my request headers. is there any way to make sure that this header is disabled for oathkeeper servivce?

damp-sunset-69236

04/25/2022, 8:07 AM

@User Hello. Does everything work fine with Nginx setup?

salmon-article-80089

04/25/2022, 8:34 AM

let me send you my Nginx config

salmon-article-80089

04/25/2022, 8:37 AM

server {

listen 443 ssl; ssl_certificate /etc/nginx/nginx.crt; ssl_certificate_key /etc/nginx/nginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH; ssl_prefer_server_ciphers on; charset utf-8; server_name mail.iap.hamimco.ir; location / { gzip off; aio threads; auth_request /auth; #auth_request_set $auth_status $upstream_status; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Authorization $http_authorization; add_header Access-Control-Allow-Origin "*"; keepalive_timeout 70s; proxy_set_header Accept-Encoding ""; proxy_http_version 1.1; proxy_pass https://upstream_server/; client_max_body_size 10240M; proxy_pass_header Server; proxy_redirect default; proxy_intercept_errors off; } location = /auth { gzip off; internal; aio threads; #client_max_body_size 2056M; #keepalive_timeout 70s; proxy_pass http://matching_url:4456/decisions/; # proxy_pass http://oathkeeper:4456/decisions/ proxy_pass_request_body off; #proxy_http_version 1.1; proxy_set_header X-Original-URI $request_uri; proxy_set_header Content-Length ""; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto $scheme; } }

damp-sunset-69236

04/25/2022, 8:38 AM

I mean that the best way to have oathkeeper with Nginx is to configure nginx+oathkeeper with subrequest authentication. in that case, proxying traffic lays on the nginx side while oathkeeper is used as decision API

damp-sunset-69236

04/25/2022, 8:39 AM

I see

salmon-article-80089

04/25/2022, 8:40 AM

if the config file is not clear I can send you the file instead of here

salmon-article-80089

04/25/2022, 8:41 AM

So you mean, it is not a good way to use it for all the subrequest ??

damp-sunset-69236

04/25/2022, 8:41 AM

I built a couple of examples for nginx+oathkeeper setup. You can find them here and here The difference between them is that the second example uses hydrator mutator

damp-sunset-69236

04/25/2022, 8:42 AM

No. I mean that it’s a best way to use subrequest

salmon-article-80089

04/25/2022, 8:42 AM

let me check your examples to make it for my self clear. Thank you so much again.

salmon-article-80089

04/26/2022, 3:59 AM

Hi @User. It turns out I had to increase the buffer size on Nginx because some of the request were so big to handle. Thank you so much for your help.

🙌 1

39 Views

Open in Slack

Previous Next