[英]Why am I getting "upstream server temporarily disabled while reading response header from upstream"?
I have deployed NGINX Plus Ingress controller on AWS EKS, in front of the ingress I have deployed a.network load balancer (NLB).我在 AWS EKS 上部署了 NGINX Plus Ingress controller,在 Ingress 之前我部署了一个网络负载均衡器 (NLB)。 I have set up a user pool in AWS Cognito and set up JWT validation in NGINX according to the instructions here https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/#getting-jwks-from-subrequest .
我已经在 AWS Cognito 中设置了一个用户池,并根据此处的说明在 NGINX 中设置了 JWT 验证https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/#getting -jwks-来自子请求。
auth_jwt "closed";
auth_jwt_type signed;
auth_jwt_key_cache 1h;
auth_jwt_key_request /jwks_uri;
...
location = /jwks_uri {
internal;
proxy_pass https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json;
}
I have tried all kinds of proxy settings - everything from increasing time outs, setting proxy_method GET, stripping headers but nothing seems to help.我尝试了各种代理设置 - 从增加超时、设置 proxy_method GET、剥离标头,但似乎没有任何帮助。 I also cut the sub request part out of the equation by just adding
我还通过添加将子请求部分从等式中删除
location /jwks_uri {
proxy_pass https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json;
}
Requests there succeed, so I don't think it's a firewall issue.那里的请求成功了,所以我不认为这是防火墙问题。
When I fire off the request with a valid JWT issued by Cognito in the Authorization header, if I wait more than a minute I eventually get a 502 response.当我使用 Cognito 在授权 header 中发出的有效 JWT 发出请求时,如果我等待超过一分钟,我最终会收到 502 响应。 In the NGINX logs I can see
在 NGINX 日志中我可以看到
2022/11/24 08:47:55 [warn] 56#56: *19 upstream server temporarily disabled while reading response header from upstream, client: 10.10.20.57, server: <server>, request: "POST /graphql HTTP/1.1", subrequest: "/jwks_uri", upstream: <jwks-uri>", host: <host
This seems to happen when NGINX attempts the sub request to fetch jwks keys from AWS from https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json这似乎发生在 NGINX 尝试子请求从 https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json 从 AWS 获取 jwks 密钥时
The original request was a POST and I needed to add the following proxy settings in order for the subrequest to sufficiently convert to a GET原始请求是 POST,我需要添加以下代理设置,以便子请求充分转换为 GET
location = /jwks_uri {
internal;
proxy_method GET;
proxy_set_header Host {idp}.{region}.amazonaws.com;
proxy_set_header Content-Length "";
proxy_pass https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json;
}
Posting in case someone else runs into the same issue.发布以防其他人遇到同样的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.