[英]Upstream sent too big header while reading response header from upstream in Keycloak
I am trying to make an OIDC authentication/authorization against a keycloak server with an Android app I'm building.我正在尝试使用我正在构建的 Android 应用程序针对密钥斗篷服务器进行 OIDC 身份验证/授权。
I am getting the following error, which is leading me to receive a 502 in my application:我收到以下错误,导致我在我的应用程序中收到 502:
2019/08/15 00:29:04 [error] 31921#31921: *64410338 upstream sent too big header while reading response header from upstream, client: 192.168.4.61, server: stage.example.com, request: "GET /auth/realms/master/protocol/openid-connect/auth?client_id=example-mobile-android&redirect_uri=http%3A%2F%2Flocalhost%3A53978%2F%23%2Flogin&state=a627edff-c1a2-43d3-8c6e-e5635bcc2252&response_mode=fragment&response_type=id_token%20token&scope=openid&nonce=69967773-36ba-49b2-8dd8-a31fd36f412b&prompt=none HTTP/1.1", upstream: "http://192.168.4.147:8080/auth/realms/master/protocol/openid-connect/auth?client_id=example-mobile-android&redirect_uri=http%3A%2F%2Flocalhost%3A53978%2F%23%2Flogin&state=a627edff-c1a2-43d3-8c6e-e5635bcc2252&response_mode=fragment&response_type=id_token%20token&scope=openid&nonce=69967773-36ba-49b2-8dd8-a31fd36f412b&prompt=none", host: "www.example.com", referrer: "http://localhost:53978/"
I have tried both this:我已经尝试过这两个:
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
as well as disabling the proxy buffer entirely.以及完全禁用代理缓冲区。
What could be going on?可能发生了什么? Do I expand my buffer further?
我是否进一步扩大缓冲区? Is there some other error I am not catching?
还有其他我没有发现的错误吗?
It depends what was added to access token. 这取决于添加到访问令牌的内容。 I have seen token with ~1MB size;
我已经看到了约1MB大小的令牌; it was extreme case, where token contains a lot of user groups/roles for authorization.
在极端情况下,令牌包含许多用于授权的用户组/角色。 Try to configure bigger buffer size.
尝试配置更大的缓冲区大小。
For this error, the one to blame is proxy_buffer_size
. 对于此错误,应该负责的是
proxy_buffer_size
。
I have a detailed writeup on it here . 我在这里有详细的文章。 Essentially, if you don't allocate enough buffers for NGINX to read response headers, then it will fail with this error.
本质上,如果您没有为NGINX分配足够的缓冲区来读取响应头,那么它将因该错误而失败。
If you can reconstruct request URL/headers in their entirety, you can calculate the required value for this parameter, eg: 如果您可以完整地重构请求URL /标题,则可以计算此参数所需的值,例如:
curl -s -w \%{size_header} -o /dev/null https://example.com
Either way, you will be raising it from the default value, and couple this with increasing proxy_busy_buffers_size
, and proxy_buffers
as well. 无论哪种方式,您都将从默认值提高它,并将其与增加
proxy_busy_buffers_size
和proxy_buffers
。
If you can't determine the size of response headers/body, then yes - keep increasing things gradually until it fixes the issue. 如果您无法确定响应标题/正文的大小,那么可以-逐步增加内容,直到解决问题为止。
Do not just set buffers to arbitrarily high values, because those buffers are per-connection and will make for higher RAM use. 不要仅仅将缓冲区设置为任意高的值,因为这些缓冲区是每个连接的,并且会增加RAM的使用量。
For that same reason, it's also best to create a separate location in NGINX with adjusted buffer values, so that larger buffers are used only there, without affecting the overall RAM usage by NGINX. 出于同样的原因,最好在NGINX中创建一个单独的位置,并调整缓冲区值,以便仅在此处使用较大的缓冲区,而又不影响NGINX的总体RAM使用量。
PS disabling proxy buffering won't help, because NGINX always buffers response headers :) PS禁用代理缓冲将无济于事,因为NGINX 总是缓冲响应头:)
I've updated Keycloak from v20.0.1
to v20.0.2
and got that HTTP 502 Error .我已经将Keycloak从
v20.0.1
更新到v20.0.2
并得到了HTTP 502 Error 。
I adjusted NGINX with these parameters:我用这些参数调整了 NGINX :
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
location / {
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
# proxy header
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# ws
proxy_http_version 1.1;
}
and it works now.现在可以用了。
For me, @danila-vershinin's answer is the proper one.对我来说,@danila-vershinin 的回答是正确的。
However, I would like to add my 50 cents here for the ones trying to configure it on Kube.netes.但是,我想在这里为那些试图在 Kube.netes 上配置它的人加上我的 50 美分。 I got it working on Keycloak 20.0.3 like this:
我让它在 Keycloak 20.0.3 上工作是这样的:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: keycloak
annotations:
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
spec:
tls:
- hosts:
- my-keycloak.example.com
rules:
- host: my-keycloak.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 80
Mind the annotations section.注意注释部分。
Also, as far as I understood here , proxy_busy_buffers_size is now calculated based on proxy_buffers' size.此外,据我了解,proxy_busy_buffers_size现在是根据 proxy_buffers 的大小计算的。
I hope it helps.我希望它有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.