Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2_proxy: nginx extension module no longer forwards X-User #305266

Closed
wilsonehusin opened this issue Apr 19, 2024 · 6 comments · Fixed by #307766
Closed

oauth2_proxy: nginx extension module no longer forwards X-User #305266

wilsonehusin opened this issue Apr 19, 2024 · 6 comments · Fixed by #307766
Labels
0.kind: bug

Comments

@wilsonehusin
Copy link
Contributor

Describe the bug

OAuth2 Proxy's Nginx plugin used to forward X-User and X-Email headers to downstream programs. This stopped working after I updated on unstable channel, which is potentially related to #275541 or #273234.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Set up OAuth2 Proxy + Nginx
  2. Set up Grafana with auth.proxy of header name X-User.
  3. Grafana does not recognize the session

More simply:

  1. Set up OAuth2 Proxy + Nginx
  2. Use httpbin.org or something similar
  3. Inspect the headers — X-User and X-Email used to be present, but not anymore

Expected behavior

X-User and X-Email are passed to downstream servers under Nginx.

Additional details

  • I have services.oauth2_proxy.extraConfig.set-xauthrequest = true;
  • I went on upgrade of nixpkgs unstable from sometime late January to a few hours ago, which is what led me to the two PRs mentioned above.

Notify maintainers

cc @SuperSandro2000

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.7.10, NixOS, 24.05 (Uakari), 24.05pre613616.bc279bbacf1f`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"home-manager, nixos"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a 👍 reaction to issues you find important.
@aanderse
Copy link
Member

@wilsonehusin are you able to play around a bit and confirm if the changes mentioned introduced this regression?

@wilsonehusin
Copy link
Contributor Author

@wilsonehusin are you able to play around a bit and confirm if the changes mentioned introduced this regression?

@aanderse yes. I can't really pin-point to what exactly since there were a lot of changes. Instead, I just have a local fork from 2e751c0 (prior to the changes mentioned in the PRs above).

@SuperSandro2000
Copy link
Member

I have a pretty good idea what it could be. https://github.com/SuperSandro2000/nixos-modules/blob/1aeeba70ada1b0f1f8bc408ea3131882d35f15c3/modules/nginx.nix#L92-L96

@SuperSandro2000
Copy link
Member

Can you give #307766 a try? I didn't test it yet, so it could completely break everything and be completely insecure, just as warning.

@aanderse
Copy link
Member

aanderse commented May 4, 2024

fantastic work @SuperSandro2000! @wilsonehusin please let us know how it goes 🙇‍♂️

@wilsonehusin
Copy link
Contributor Author

Sorry for the late reply, I haven't been able to have time to test it out. Now that I do, it seems like virtualHosts has been converted to attrset. This won't be an easy find-and-replace for me to try in my setup, so I will have to find some time to do proper cleanup.

@lblasc lblasc mentioned this issue May 23, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/oauth2_proxy_nginx: fix proxy_set_header SuperSandro2000/nixpkgs
3 participants
@SuperSandro2000 @aanderse @wilsonehusin