[英]NGINX ingress auth-url returning 404 but the endpoint exists
Adding the annotation:添加注释:
annotations:
nginx.ingress.kubernetes.io/auth-url: http://my-auth-service.my-api.svc.cluster.local:8080
...to my ingress rule causes a 500 response from the ingress controller (the ingress works without it). ...到我的入口规则会导致来自入口控制器的 500 响应(入口在没有它的情况下工作)。
The service exists and I can ssh into the ingress controller and CURL it, getting a response:该服务存在,我可以通过 ssh 进入入口控制器并对其进行 CURL,得到响应:
curl http://my-auth-service.my-api.svc.cluster.local:8080
Produces a 200 response. curl http://my-auth-service.my-api.svc.cluster.local:8080
产生 200 响应。
I checked the ingress controller logs but it says that the service returned a 404
.我检查了入口控制器日志,但它说该服务返回了
404
。 If I can CURL to the same URL why would it return a 404
?如果我可以 CURL 到相同的 URL 为什么会返回
404
?
2019/07/01 20:26:11 [error] 558#558: *443367 auth request unexpected status: 404 while sending to client, client: 192.168.65.3, server: localhost, request: "GET /mocks HTTP/1.1", host: "localhost"
I'm not sure what to check to deterine the problem.我不确定要检查什么来确定问题。
FWIW, for future readers - I ran into the same problem, and after looking at my auth service logs, noticed nginx ingress' requests were appending a /_external-auth-xxxxxx path to the request url. FWIW,对于未来的读者 - 我遇到了同样的问题,在查看了我的身份验证服务日志后,注意到 nginx ingress 的请求正在向请求 url 附加一个 /_external-auth-xxxxxx 路径。
Here's where the ingress controller does it, in the source:这是入口控制器在源代码中执行此操作的地方:
https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/template/template.go#L428 https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/template/template.go#L428
And how I'm handling it in my own auth service (a Elixir/Phoenix route):以及我如何在自己的身份验证服务中处理它(Elixir/Phoenix 路线):
get "/_external-auth*encoded_nginx_auth_url", TokenController, :index
Here are the options you should check:以下是您应该检查的选项:
According to this documentation :根据此文档:
By default the controller redirects all requests to an existing service that provides authentication if global-auth-url is set in the NGINX ConfigMap.
默认情况下,如果在 NGINX ConfigMap 中设置了 global-auth-url,控制器会将所有请求重定向到提供身份验证的现有服务。 If you want to disable this behavior for that ingress, you can use enable-global-auth: "false" in the NGINX ConfigMap.
如果您想为该入口禁用此行为,您可以在 NGINX ConfigMap 中使用 enable-global-auth: "false"。 nginx.ingress.kubernetes.io/enable-global-auth: indicates if GlobalExternalAuth configuration should be applied or not to this Ingress rule.
nginx.ingress.kubernetes.io/enable-global-auth:指示是否应将 GlobalExternalAuth 配置应用于此 Ingress 规则。 Default values is set to "true".
默认值设置为“true”。
Check your proxy_ssl_server_name
setting in nginx.检查 nginx 中的
proxy_ssl_server_name
设置。 It indicates if HTTPS uses SNI or not and it is set to false by default.它指示 HTTPS 是否使用 SNI,默认设置为 false。
Please let me know if that helped.如果这有帮助,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.