Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No resolver when using external auth #51

Closed
groob opened this issue Dec 11, 2016 · 7 comments
Closed

No resolver when using external auth #51

groob opened this issue Dec 11, 2016 · 7 comments

Comments

@groob
Copy link

groob commented Dec 11, 2016

Using the following annotation:

  annotations:
    ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd

error log:

2016/12/11 05:06:13 [error] 250#250: *40 no resolver defined to resolve httpbin.org, client: 127.0.0.1, server: prometheus.acme.co, request: "GET / HTTP/2.0", subrequest: "/_external-auth-Lw", host: "prometheus.acme.co"
2016/12/11 05:06:13 [error] 250#250: *40 auth request unexpected status: 502 while sending to client, client: 127.0.0.1, server: prometheus.acme.co, request: "GET / HTTP/2.0", host: "prometheus.acme.co"
127.0.0.1 - [127.0.0.1] - - [11/Dec/2016:05:06:13 +0000] "GET / HTTP/2.0" 502 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 0 0.000 [default-echoheaders-y-80] - - - -
127.0.0.1 - [127.0.0.1] - - [11/Dec/2016:05:06:13 +0000] "GET / HTTP/2.0" 500 706 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 11 0.000 [default-echoheaders-y-80] - - - -
2016/12/11 05:06:13 [error] 250#250: *40 no resolver defined to resolve httpbin.org, client: 127.0.0.1, server: prometheus.acme.co, request: "GET /favicon.ico HTTP/2.0", subrequest: "/_external-auth-Lw", host: "prometheus.acme.co", referrer: "https://prometheus.acme.co/"
2016/12/11 05:06:13 [error] 250#250: *40 auth request unexpected status: 502 while sending to client, client: 127.0.0.1, server: prometheus.acme.co, request: "GET /favicon.ico HTTP/2.0", host: "prometheus.acme.co", referrer: "https://prometheus.acme.co/"
127.0.0.1 - [127.0.0.1] - - [11/Dec/2016:05:06:13 +0000] "GET /favicon.ico HTTP/2.0" 502 0 "https://prometheus.acme.co/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 0 0.000 [default-echoheaders-y-80] - - - -
127.0.0.1 - [127.0.0.1] - - [11/Dec/2016:05:06:13 +0000] "GET /favicon.ico HTTP/2.0" 500 706 "https://prometheus.acme.co/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 27 0.000 [default-echoheaders-y-80] - - - -
@gianrubio
Copy link
Contributor

@groob could you provide the generated nginx.conf ?

@groob
Copy link
Author

groob commented Dec 26, 2016

Unfortunately, I already moved on to a different strategy, so I don't have the above config.

@cluk1
Copy link

cluk1 commented Dec 27, 2016

Hi, I am seeing the same problem:

::ffff:10.32.0.2 - [::ffff:10.32.0.2] - - [27/Dec/2016:14:40:25 +0000] "GET /foobar HTTP/1.1" 502 0 "-" "curl/7.47.0" 0 0.000 [default-echoheaders-80] - - - -
2016/12/27 14:40:25 [error] 2960#2960: *32 no resolver defined to resolve ldap-auth.kube-system.svc.cluster.local, client: ::ffff:10.32.0.2, server: host.cluster.local, request: "GET /foobar HTTP/1.1", subrequest: "/_external-auth-L2Zvb2Jhcg", host: "host.cluster.local"
2016/12/27 14:40:25 [error] 2960#2960: *32 auth request unexpected status: 502 while sending to client, client: ::ffff:10.32.0.2, server: host.cluster.local, request: "GET /foobar HTTP/1.1", host: "host.cluster.local"
::ffff:10.32.0.2 - [::ffff:10.32.0.2] - - [27/Dec/2016:14:40:25 +0000] "GET /foobar HTTP/1.1" 500 193 "-" "curl/7.47.0" 88 0.000 [default-echoheaders-80] - - - -

The generated nginx.conf is attached:
nginx.conf.txt

The resolv.conf from the ingress ctrl pod looks like this:

search default.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.96.0.10
options ndots:5

Resolving that hostname from inside the pods works:

root@ingress-ctrl-dbc94:/# nslookup ldap-auth.kube-system.svc.cluster.local
Server:         10.96.0.10
Address:        10.96.0.10#53

Name:   ldap-auth.kube-system.svc.cluster.local
Address: 10.97.116.136

@cluk1
Copy link

cluk1 commented Dec 27, 2016

This can be fixed by either adding a resolver line to the nginx.tmpl or by the following diff:

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index ac3754b..5ec1148 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -235,8 +235,7 @@ http {
             {{ end }}
             proxy_set_header            Host $host;            
             proxy_pass_request_headers  on;
-            set $target {{ $location.ExternalAuth.URL }};
-            proxy_pass $target;
+            proxy_pass {{ $location.ExternalAuth.URL }};
         }
         {{ end }}

@gianrubio
Copy link
Contributor

@cluk33 could you send a PR to fix this?

@aledbf
Copy link
Member

aledbf commented Dec 27, 2016
edited
Loading

@gianrubio please don't change this. The resolver issue must be fixed (i.e. present in nginx.conf)

Edit: this should be fixed after #77

@aledbf
Copy link
Member

aledbf commented Jan 19, 2017

@groob fixed in master. Please reopen if that's not right.

@aledbf aledbf closed this as completed Jan 19, 2017
hnrytrn pushed a commit to hnrytrn/ingress-nginx that referenced this issue Jun 20, 2018
@ElvinEfendi
Merge pull request kubernetes#51 from Shopify/sync-upstream
f01a233 
Sync upstream
haoqing0110 referenced this issue in stolostron/management-ingress Mar 5, 2021
Fix issue host header validation failed in openshift case (#51)
1a59957 
Refer to issue https://github.ibm.com/IBMPrivateCloud/roadmap/issues/20423
haoqing0110 referenced this issue in stolostron/management-ingress Mar 5, 2021
@songleo
fix vulnerable (#51)
42c3499
@yukihonhk yukihonhk mentioned this issue Sep 2, 2021
Closed
@gabrielpagu gabrielpagu mentioned this issue Sep 3, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aledbf @groob @cluk1 @gianrubio