2

I am trying to rewrite the nginx x-auth-request-email header to a request string using the ingress controller annotation like this:

nginx.ingress.kubernetes.io/configuration-snippet: |
  set $args user=$http_x_auth_request_email&$args;

Which translates to the same line in nginx.conf.

However, $http_x_auth_request_email somehow resolves to an empty string in the request while I do observe the expected value in the x-auth-request-email header.

Changing $http_x_auth_request_email to a more standard header such as $http_host works as expected.

Is there a way to make this work?

Here is the full config:

https://gist.github.com/roman-kouzmenko/e6f93f3bf5ca74c018f917a2d3fbf947#file-nginx-conf-L1198

user3124206
  • 375
  • 1
  • 7
  • 16
  • The annotation seem fine to me... Could you exec into controller pod and see how it looks in the actual config? – anemyte May 18 '21 at 18:35
  • Added a link to the config generated from the ingress. – user3124206 May 18 '21 at 20:23
  • When you tested it, did you send the request to `/echo/` location? E.g. `curl https://example.com/echo/?foo=bar` – anemyte May 19 '21 at 06:48
  • yes, exactly, I have a container echoing the request on that location (hub.docker.com/r/brndnmtthws/nginx-echo-headers) I see the following: GET /echo/?user=&foo=bar HTTP/1.1 x-auth-request-email: ACTUAL_EMAIL. If I use any of the non-auth headers, it strangely works as expected. – user3124206 May 19 '21 at 07:42
  • I am now thinking that perhaps adding another clean non-ingress nginx sidecar to my services would make this easier although not that efficient resource-wise. – user3124206 May 19 '21 at 07:42
  • Wait a moment, I've found the source of the problem: https://gist.github.com/roman-kouzmenko/e6f93f3bf5ca74c018f917a2d3fbf947#file-nginx-conf-L1141 – anemyte May 19 '21 at 07:45
  • Seems like it's getting erased after authentication. Maybe you need to use `nginx.ingress.kubernetes.io/auth-response-headers` annotation (see [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication)) – anemyte May 19 '21 at 07:58
  • I actually already do have that annotation, otherwise, even the header doesn't appear. I can't rewrite any of the other x- headers as well such as x-forwarded-for. I wonder if it's not related to this. – user3124206 May 19 '21 at 08:10
  • You can see in the config that x-forwarded-for is set before `proxy_pass`. – anemyte May 19 '21 at 08:12
  • Can you try this snippet, just in case? `set $args user=$upstream_http_x_auth_request_email&$args;` – anemyte May 19 '21 at 08:17
  • tried it already ;) as well as $authHeader0, none of these work. – user3124206 May 19 '21 at 08:41
  • Then I suggest to save the header value into a temporary variable at the server block level (`nginx.ingress.kubernetes.io/server-snippet`) and use it later in `nginx.ingress.kubernetes.io/configuration-snippet`. Server block configuration snippet should be evaluated before location rewrite sequences, i.e. header value shouldn't be erased at that moment. – anemyte May 19 '21 at 09:08
  • Doesn't work either unfortunately – user3124206 May 19 '21 at 09:46
  • I asked this on the slack k8s channel, will update here if I find a solution – user3124206 May 19 '21 at 10:28

0 Answers0