https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
l

lively-beard-47107

04/05/2022, 8:30 AM
Hi! So I’m having a problem with Oathkeeper Mutators while using it with NGINX. I have setup Oathkeeper and NGINX like this and the authentication/authorization is properly validated. However, when trying to set custom headers using mutators, the service does not receive those headers. I am wondering if there is a standard procedure in such cases
d

damp-sunset-69236

04/05/2022, 8:32 AM
Hello. Which mutators do you use?
l

lively-beard-47107

04/05/2022, 8:32 AM
Headers
And in the rule
I’ve also tried it with cookies. It doesn’t work
d

damp-sunset-69236

04/05/2022, 8:35 AM
What’s your configuration for matching rules and what error do you receive?
Do I understand correctly your case? You use nginx as ingress load balancer and oathkeeper to setup DMZ IAP proxy running in the internal network?
l

lively-beard-47107

04/05/2022, 8:42 AM
So I have added this configuration on the ingress of the service:
Copy code
<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://custom-nginx.auth-test.svc.cluster.local/decisions$request_uri>
Then,
custom-nginx.auth-test
is a NGINX deployment where I have customised the
nginx.conf
file and have set the following configs:
Copy code
proxy_pass <http://ory-oathkeeper.auth-test.svc.cluster.local:4456>;
I’m not really confident regarding terminology since I’m pretty new in this topic, but I hope this answers your question
The rule matches correctly and the authentication and authorizer work fine. The request goes through if I am authenticated and responds 401 if I’m not. The problem is that for some reasons, the headers that mutators are supposed to add are not going to the service
The problem is either with Oathkeeper that it is not adding the headers properly, or with NGINX. I believe that Oathkeeper is adding the headers, but then NGINX for some reasons is not passing them to the service
d

damp-sunset-69236

04/05/2022, 9:05 AM
Do you want to use oathkeeper as a decision API for nginx?
l

lively-beard-47107

04/05/2022, 9:05 AM
Yes
d

damp-sunset-69236

04/05/2022, 9:09 AM
Also, as a solution can be setting up
proxy_pass_request_headers on
for your location in nginx
Hey. I built a simple example to solve your case. in my example I proxying
X-user
variable
l

lively-beard-47107

04/05/2022, 10:34 AM
Did you succeed?
d

damp-sunset-69236

04/05/2022, 10:34 AM
You need to setup
Copy code
auth_request_set $x_user $upstream_http_X_User;
...
	    proxy_set_header X-User $x_user;
for your
location /
yep. I succeed.
you can clone repo, go to the `05_nginx_oathkeeper`directory, run docker-compose up and then you can open
<http://127.0.0.1:8080/hello>
url in your browser, authenticate and open it again.
You’ll see `X-USer`with correct value set by oathkeeper
I left comments under important settings of nginx.conf. Feel free to ask questions
l

lively-beard-47107

04/05/2022, 12:31 PM
Copy code
2022/04/05 12:29:28 [error] 36#36: *1 no resolver defined to resolve ory-oathkeeper.auth-test.svc.cluster.local, client: 172.16.0.49, server: , request: "GET /decisions/ HTTP/1.1", subrequest: "/auth-decision", host: "oathkeeper-proxy.auth-test.svc.cluster.local", referrer: "<http://hello-world.example.com/>"
2022/04/05 12:29:28 [error] 36#36: *1 auth request unexpected status: 502 while sending to client, client: 172.16.0.49, server: , request: "GET /decisions/ HTTP/1.1", host: "oathkeeper-proxy.auth-test.svc.cluster.local", referrer: "<http://hello-world.example.com/>"
I tried multiple things, while in this last example I tried to do it exactly how you did it. I’m getting the following logs
I’m even trying to pass a hard coded value, and I’m failing to do so. I know this is not related to Oathkeeper anymore
Copy code
nginx_1                       | 172.18.0.1 - - [05/Apr/2022:14:12:02 +0000] "GET /hello HTTP/1.1" 500 177 "<http://127.0.0.1:8080/>" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0"
nginx_1                       | 2022/04/05 14:12:02 [error] 28#28: *22 auth request unexpected status: 404 while sending to client, client: 172.18.0.1, server: , request: "GET /hello HTTP/1.1", host: "localhost:8080", referrer: "<http://127.0.0.1:8080/>"
By using the example you created, I get the following logs
d

damp-sunset-69236

04/05/2022, 3:02 PM
Could you send nginx config and access-rules of oathkeeper?
3 Views