WingNews logo WingNews
top | item 43073858

(no title)

uriah | 1 year ago

With nginx I'm assuming you would use something like Vouch or oauth2-proxy? Something like the architecture described here:

https://github.com/vouch/vouch-proxy?tab=readme-ov-file#what...

Can't speak for caddy-security, but the forward_auth feature is the caddy equivalent to nginx's auth_request

discuss

order

mdaniel|1 year ago

Just watch out when using oauth2-proxy because its default session storage using cookies can easily blow out the header size of nginx leading to the dreaded 400 header too large

One fix is moving session storage to redis <https://oauth2-proxy.github.io/oauth2-proxy/configuration/se...> and the other (if you have control over the nginx config) is bumping its allowed header size "large_client_header_buffers 4 128k;" <https://nginx.org/en/docs/http/ngx_http_core_module.html#lar...>

If you're using nginx as an ingress controller, the annotations support it: <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-...> and/or auth-snippet <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-...>

justin_oaks|1 year ago

Thanks for the heads-up.

I'm curious at what would be stored in the session to make it large enough to be a problem, but it's good to know to watch out for it.

justin_oaks|1 year ago

Thanks. I've used oauth2-proxy with NGINX. So I could try to set up oauth2-proxy with Caddy in a similar way.