[DOCKER] extra_hosts ignored

[luketainton]

When specifying extra_hosts (to modify the container's hosts file), these are ignored.

Expected Behavior

When getting the openid-configuration from the Keycloak URL, it should be using the specified IP address to get to the login server, not the publicly resolvable IP.

Current Behavior

It is still using the public IP, and due to firewall configuration this isn't working.

Steps to Reproduce (for bugs)

Run the service in Docker using the following docker-compose.yml snippet:

web:
    image: quay.io/pusher/oauth2_proxy:v5.0.0
    restart: unless-stopped
    extra_hosts:
      - "login.citygate.io:<INTERNAL_IP>"
    expose:
      - 4180
    entrypoint:
      - /bin/oauth2_proxy
      - --provider=oidc
      - --client-id=nodered
      - --client-secret=<REDACTED>
      - --oidc-issuer-url=https://login.citygate.io/auth/realms/master
      - --keycloak-group=/NodeRED/Users
      - --email-domain="citygate.io"
      - --upstream="http://app:1880/"
      - --cookie-secret="<REDACTED>"
      - --cookie-secure=true
      - --reverse-proxy=true
      - --http-address="0.0.0.0:4180"
    links:
      - app
    depends_on:
      - app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nodered.rule=Host(`nodered.citygate.io`)"
      - "traefik.http.routers.nodered.entrypoints=https"
      - "traefik.http.routers.nodered.tls=true"
      - "traefik.http.routers.nodered.tls.certResolver=le"
      - "traefik.http.services.nodered.loadbalancer.server.port=4180"
      - "traefik.http.services.nodered.loadbalancer.server.scheme=http"

Context

The OAuth2 proxy cannot get the OpenID Configuration which means users cannot authenticate.

Your Environment

• Version used: 5.0.0
• OS: Linux (in Docker)

[ploxiln]

see golang/go#35305

[luketainton]

Thanks @ploxiln! I mounted /etc/nsswitch.conf and this fixed my issue.

[kfox1111]

This is a known issue with nonglibc systems and golang statically linked builds. In this case, the resolver follows glibc's arguably broken behavior of dns first, then /etc/hosts second in the absence of nsswitch.conf. This also shows up with weirdness's such as 'localhost' resolving to your own domain's version if you have one.

For something security sensitive like oauth2_proxy, I'd recommend putting an explicit nsswitch.conf into the official container via the Dockerfile. This will affect other users unexpectedly, and not just this one user. Please reopen the ticket.

[luketainton]

I've reopened this as @kfox1111 has asked. I've worked around this by mounting my nsswitch.conf as a volume, but it would be best to add it into the Dockerfile directly.

[JoelSpeed]

For something security sensitive like oauth2_proxy, I'd recommend putting an explicit nsswitch.conf into the official container via the Dockerfile. This will affect other users unexpectedly, and not just this one user. Please reopen the ticket.

This seems like a reasonable solution, can someone raise a PR?

[luketainton]

I’ll work on this at some point during the next fortnight hopefully