https://www.ory.sh/ logo
Join Slack
Powered by
Hi! So I’m having a problem with Oathkeeper Mutato...
# talk-oathkeeper
l
Hi! So I’m having a problem with Oathkeeper Mutators while using it with NGINX. I have setup Oathkeeper and NGINX like this and the authentication/authorization is properly validated. However, when trying to set custom headers using mutators, the service does not receive those headers. I am wondering if there is a standard procedure in such cases
d
Hello. Which mutators do you use?
l
Headers
And in the rule
I’ve also tried it with cookies. It doesn’t work
d
What’s your configuration for matching rules and what error do you receive?
Do I understand correctly your case? You use nginx as ingress load balancer and oathkeeper to setup DMZ IAP proxy running in the internal network?
l
So I have added this configuration on the ingress of the service:
Copy code
<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://custom-nginx.auth-test.svc.cluster.local/decisions$request_uri>
Then, 
custom-nginx.auth-test
is a NGINX deployment where I have customised the 
nginx.conf
file and have set the following configs:
Copy code
proxy_pass <http://ory-oathkeeper.auth-test.svc.cluster.local:4456>;
I’m not really confident regarding terminology since I’m pretty new in this topic, but I hope this answers your question
The rule matches correctly and the authentication and authorizer work fine. The request goes through if I am authenticated and responds 401 if I’m not. The problem is that for some reasons, the headers that mutators are supposed to add are not going to the service
The problem is either with Oathkeeper that it is not adding the headers properly, or with NGINX. I believe that Oathkeeper is adding the headers, but then NGINX for some reasons is not passing them to the service
d
Do you want to use oathkeeper as a decision API for nginx?
l
Yes
d
Also, as a solution can be setting up 
proxy_pass_request_headers on
for your location in nginx
Hey. I built a simple example to solve your case. in my example I proxying 
X-user
variable
l
Did you succeed?
d
You need to setup
Copy code
auth_request_set $x_user $upstream_http_X_User;
...
	    proxy_set_header X-User $x_user;
for your 
location /
yep. I succeed.
you can clone repo, go to the `05_nginx_oathkeeper`directory, run docker-compose up and then you can open 
<http://127.0.0.1:8080/hello>
url in your browser, authenticate and open it again.
You’ll see `X-USer`with correct value set by oathkeeper
I left comments under important settings of nginx.conf. Feel free to ask questions
l
Copy code
2022/04/05 12:29:28 [error] 36#36: *1 no resolver defined to resolve ory-oathkeeper.auth-test.svc.cluster.local, client: 172.16.0.49, server: , request: "GET /decisions/ HTTP/1.1", subrequest: "/auth-decision", host: "oathkeeper-proxy.auth-test.svc.cluster.local", referrer: "<http://hello-world.example.com/>"
2022/04/05 12:29:28 [error] 36#36: *1 auth request unexpected status: 502 while sending to client, client: 172.16.0.49, server: , request: "GET /decisions/ HTTP/1.1", host: "oathkeeper-proxy.auth-test.svc.cluster.local", referrer: "<http://hello-world.example.com/>"
I tried multiple things, while in this last example I tried to do it exactly how you did it. I’m getting the following logs
I’m even trying to pass a hard coded value, and I’m failing to do so. I know this is not related to Oathkeeper anymore
Copy code
nginx_1                       | 172.18.0.1 - - [05/Apr/2022:14:12:02 +0000] "GET /hello HTTP/1.1" 500 177 "<http://127.0.0.1:8080/>" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0"
nginx_1                       | 2022/04/05 14:12:02 [error] 28#28: *22 auth request unexpected status: 404 while sending to client, client: 172.18.0.1, server: , request: "GET /hello HTTP/1.1", host: "localhost:8080", referrer: "<http://127.0.0.1:8080/>"
By using the example you created, I get the following logs
d
Could you send nginx config and access-rules of oathkeeper?
7 Views
Open in Slack
PreviousNext
Powered by