[Support]: Getting CRSF cookie or cookie limit 4kb error

[maxomizer]

OAuth2-Proxy Version

7.6.0

Provider

keycloak-oidc

Current Behaviour of your Problem

I am running a setup with VM1- Keycloak Instance and VM2 - Prometheus together with oauth2-proxy

The Keycloak authorization process works fine until it has to pass me to prometheus after I entered my one time passcode from the authenticator then i am getting a 502 Bad Gateway in the browser.

The error.log says *10 connect() failed (111: Connection refused) while connecting to upstream, client: <myclientip, server: _, request: "GET /prometheus/ HTTP/1.1", upstream: "http://127.0.0.1:80/prometheus/", host: ""

The /var/log says WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead.
The access.log says "GET /oauth2/callback?state=... Gecko/20100101 Firefox/123.0"
"GET /prometheus/ HTTP/1.1" 502 157 "-" "Mozilla/5.0

I don't know how to fix this in my specific case, I tried everything what i found on stackoverflow and github isses but i am caughting this message **1) WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead. with 502 Bad Gateway

Configuration details or additional information

My configs:

nginx sites-available default

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/prometheus.crt;
ssl_certificate_key /etc/nginx/ssl/prometheus.key;

    # Cookie Buffer increase
    proxy_buffers         8 16k;  # Buffer pool = 8 buffers of 16k
    proxy_buffer_size     16k;    # 16k of buffers from pool used for headers

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    location /prometheus/ {
            auth_request /oauth2/auth;
            error_page 401 = /oauth2/sign_in;

            # pass information via X-User and X-Email headers to backend,
            # requires running with --set-xauthrequest flag
            auth_request_set $user $upstream_http_x_auth_request_user;
            auth_request_set $email $upstream_http_x_auth_request_email;
            proxy_set_header X-User $user;
            proxy_set_header X-Email $email;

            # if you enabled --cookie-refresh, this is needed for it to work with auth_request
            auth_request_set $auth_cookie $upstream_http_set_cookie;
             add_header Set-Cookie $auth_cookie;

            proxy_pass http://localhost/prometheus/;
    }

    location /oauth2/ {
            proxy_pass http://localhost:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
           proxy_set_header X-Auth-Request-Redirect $request_uri;
    }

    location = /oauth2/auth {
            proxy_pass http://localhost:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            # nginx auth_request includes headers but not body
            proxy_set_header Content-Length "";
            proxy_pass_request_body off;
    }

}

oauth2-proxy.cfg

provider="oidc"
provider_display_name="Keycloak 2FA"
login_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/auth"
validate_url="https://<myVM1domain/realms/<realmName/protocol/openid-connect/userinfo"
profile_url="https://auth.keycloak/oauth2/userinfo"
client_id="prometheus"
client_secret="OoBxPTvzicKpQAGMdb89P2lu4kGnau0H"
redirect_url="https://<myVM2domain/oauth2/callback"
upstreams=["http://localhost:9090/prometheus/"] # My website server
###OIDC settings
#reverse_proxy=true
oidc_issuer_url="<myVM1domain/realms/<realmName"
insecure_oidc_allow_unverified_email=true

email_domains=["*"]
cookie_secret="AkaBxYPzIvMdQziWECV6Ow=="
http_address="127.0.0.1:4180"
whitelist_domains="<myVM2domain"
cookie_domains=["<myVM2domain"]
cookie_secure="false"
cookie_samesite="lax"
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
cookie_refresh = "1m"
cookie_expire = "30m"
scope="openid email profile"

Steps To Reproduce

I mainly followed the instructions in this stackoverflow thread https://stackoverflow.com/questions/70975460/is-there-a-way-to-configure-sso-oauth2-prometheus-via-nginx-ingress-and-oauth2-p and the oauth2 guide for the keycloak instance.

Keycloak process is working fine so I think i have somewhere a mistake in my configs prometheus/oauth2 setup.

[maxomizer]

Anyone who has an idea where my problem should be?

[phongpg284]

@xcrementomaximum you can try changing to use Redis storage instead https://oauth2-proxy.github.io/oauth2-proxy/configuration/session_storage