New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[nginx-ingress-controller] Basic auth header is not stripped #1383

Closed
atombender opened this Issue Jul 18, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@atombender
Copy link
Contributor

atombender commented Jul 18, 2016

If you use basic auth in an ingress, then the Authorization header is passed along to the proxied upstream, which can result in incorrect behaviour if the upstream doesn't expect one.

For example, Drone will ignore its session cookie if the auth header is specified.

The correct behaviour is to strip the header and not pass it to the upstream.

Until this is fixed, I've been trying to find a workaround by injecting a custom Nginx directive, but I can't a way. Is there one?

@aledbf

This comment has been minimized.

Copy link
Member

aledbf commented Jul 18, 2016

@atombender use a custom template and add proxy_set_header Authorization ""; in the location with the basic auth

@atombender

This comment has been minimized.

Copy link
Contributor

atombender commented Jul 18, 2016

@aledbf Thanks, I discovered the template just now. That's just a temporary workaround, of course.

@aledbf

This comment has been minimized.

Copy link
Member

aledbf commented Jul 18, 2016

That's just a temporary workaround, of course.

Yes, tomorrow I will open a PR to remove the Authorization header when the auth annotation is used

@atombender

This comment has been minimized.

Copy link
Contributor

atombender commented Jul 18, 2016

@aledbf: This PR fixed the issue for me.

@aledbf

This comment has been minimized.

Copy link
Member

aledbf commented Jul 18, 2016

@atombender awesome. Thanks!

@Yannic92

This comment has been minimized.

Copy link

Yannic92 commented Dec 11, 2018

Sorry that I have to ask under a closed issue, but how is it possible to pass the authorization header to an upstream now? I see the condition {{ if $location.BasicDigestAuth.Secured }} but I don't know how to set it to false.
I want my service to evaluate the Authorization header, not nginx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment