From eb31850470f66906fc5955da7983bfcee8fcdc2f Mon Sep 17 00:00:00 2001 From: "Christopher J. Ruwe" Date: Wed, 1 Apr 2020 19:06:33 +0000 Subject: [PATCH] clarify the nginx auth_request_set/set problem with proxy_pass (#454) * clarify the nginx auth_request_set/set problem with proxy_pass * reworded/extended as result of review --- docs/configuration/configuration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index df8cb876..1617e32c 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -317,7 +317,9 @@ server { } ``` -If you use ingress-nginx in Kubernetes (which includes the Lua module), you also can use the following configuration snippet for your Ingress: +When you use ingress-nginx in Kubernetes , you MUST use `kubernetes/ingress-nginx` (which includes the Lua module) and the following configuration snippet for your `Ingress`. +Variables set with `auth_request_set` are not `set`-able in plain nginx config when the location is processed via `proxy_pass` and then may only be processed by Lua. +Note that `nginxinc/kubernetes-ingress` does not include the Lua module. ```yaml nginx.ingress.kubernetes.io/auth-response-headers: Authorization @@ -332,6 +334,7 @@ nginx.ingress.kubernetes.io/configuration-snippet: | end } ``` +It is recommended to use `-session-store-type=redis` when expecting large sessions/OIDC tokens (_e.g._ with MS Azure). You have to substitute *name* with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".