You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am running a setup with VM1- Keycloak Instance and VM2 - Prometheus together with oauth2-proxy
The Keycloak authorization process works fine until it has to pass me to prometheus after I entered my one time passcode from the authenticator then i am getting a 502 Bad Gateway in the browser.
The error.log says *10 connect() failed (111: Connection refused) while connecting to upstream, client: <myclientip, server: _, request: "GET /prometheus/ HTTP/1.1", upstream: "http://127.0.0.1:80/prometheus/", host: ""
The /var/log says WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead.
The access.log says "GET /oauth2/callback?state=... Gecko/20100101 Firefox/123.0"
"GET /prometheus/ HTTP/1.1" 502 157 "-" "Mozilla/5.0
I don't know how to fix this in my specific case, I tried everything what i found on stackoverflow and github isses but i am caughting this message **1) WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead. with 502 Bad Gateway
# Cookie Buffer increase
proxy_buffers 8 16k; # Buffer pool = 8 buffers of 16k
proxy_buffer_size 16k; # 16k of buffers from pool used for headers
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /prometheus/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_pass http://localhost/prometheus/;
}
location /oauth2/ {
proxy_pass http://localhost:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://localhost:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
}
oauth2-proxy.cfg
provider="oidc"
provider_display_name="Keycloak 2FA"
login_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/auth"
validate_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/userinfo"
profile_url="https://auth.keycloak/oauth2/userinfo"
client_id="prometheus"
client_secret="OoBxPTvzicKpQAGMdb89P2lu4kGnau0H"
redirect_url="https://<myVM2domain/oauth2/callback"
upstreams=["http://localhost:9090/prometheus/"] # My website server
###OIDC settings
#reverse_proxy=true
oidc_issuer_url="<myVM1domain/realms/<realmName"
insecure_oidc_allow_unverified_email=true
OAuth2-Proxy Version
7.6.0
Provider
keycloak-oidc
Current Behaviour of your Problem
I am running a setup with VM1- Keycloak Instance and VM2 - Prometheus together with oauth2-proxy
The Keycloak authorization process works fine until it has to pass me to prometheus after I entered my one time passcode from the authenticator then i am getting a 502 Bad Gateway in the browser.
The error.log says *10 connect() failed (111: Connection refused) while connecting to upstream, client: <myclientip, server: _, request: "GET /prometheus/ HTTP/1.1", upstream: "http://127.0.0.1:80/prometheus/", host: ""
The /var/log says WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead.
The access.log says "GET /oauth2/callback?state=... Gecko/20100101 Firefox/123.0"
"GET /prometheus/ HTTP/1.1" 502 157 "-" "Mozilla/5.0
I don't know how to fix this in my specific case, I tried everything what i found on stackoverflow and github isses but i am caughting this message **1) WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead. with 502 Bad Gateway
Configuration details or additional information
My configs:
nginx sites-available default
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/prometheus.crt;
ssl_certificate_key /etc/nginx/ssl/prometheus.key;
}
oauth2-proxy.cfg
provider="oidc"
provider_display_name="Keycloak 2FA"
login_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/auth"
validate_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/userinfo"
profile_url="https://auth.keycloak/oauth2/userinfo"
client_id="prometheus"
client_secret="OoBxPTvzicKpQAGMdb89P2lu4kGnau0H"
redirect_url="https://<myVM2domain/oauth2/callback"
upstreams=["http://localhost:9090/prometheus/"] # My website server
###OIDC settings
#reverse_proxy=true
oidc_issuer_url="<myVM1domain/realms/<realmName"
insecure_oidc_allow_unverified_email=true
email_domains=["*"]
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address="127.0.0.1:4180"
whitelist_domains="<myVM2domain"
cookie_domains=["<myVM2domain"]
cookie_secure="false"
cookie_samesite="lax"
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
cookie_refresh = "1m"
cookie_expire = "30m"
scope="openid email profile"
Steps To Reproduce
I mainly followed the instructions in this stackoverflow thread https://stackoverflow.com/questions/70975460/is-there-a-way-to-configure-sso-oauth2-prometheus-via-nginx-ingress-and-oauth2-p and the oauth2 guide for the keycloak instance.
Keycloak process is working fine so I think i have somewhere a mistake in my configs prometheus/oauth2 setup.
The text was updated successfully, but these errors were encountered: