NGINX ingress auth-url returning 404 but the endpoint exists

7/1/2019

Adding the annotation:

  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://my-auth-service.my-api.svc.cluster.local:8080

...to my ingress rule causes a 500 response from the ingress controller (the ingress works without it).

The service exists and I can ssh into the ingress controller and CURL it, getting a response:

curl http://my-auth-service.my-api.svc.cluster.local:8080 Produces a 200 response.

I checked the ingress controller logs but it says that the service returned a 404. If I can CURL to the same URL why would it return a 404?

2019/07/01 20:26:11 [error] 558#558: *443367 auth request unexpected status: 404 while sending to client, client: 192.168.65.3, server: localhost, request: "GET /mocks HTTP/1.1", host: "localhost"

I'm not sure what to check to deterine the problem.

-- Neilos
docker
docker-for-windows
kubernetes
nginx-ingress

2 Answers

5/6/2020

FWIW, for future readers - I ran into the same problem, and after looking at my auth service logs, noticed nginx ingress' requests were appending a /_external-auth-xxxxxx path to the request url.

Here's where the ingress controller does it, in the source:

https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/template/template.go#L428

And how I'm handling it in my own auth service (a Elixir/Phoenix route):

get "/_external-auth*encoded_nginx_auth_url", TokenController, :index
-- oliverbarnes
Source: StackOverflow

7/2/2019

Here are the options you should check:

  1. Global External Authentication

According to this documentation:

By default the controller redirects all requests to an existing service that provides authentication if global-auth-url is set in the NGINX ConfigMap. If you want to disable this behavior for that ingress, you can use enable-global-auth: "false" in the NGINX ConfigMap. nginx.ingress.kubernetes.io/enable-global-auth: indicates if GlobalExternalAuth configuration should be applied or not to this Ingress rule. Default values is set to "true".

  1. Server Name Indication

Check your proxy_ssl_server_name setting in nginx. It indicates if HTTPS uses SNI or not and it is set to false by default.

Please let me know if that helped.

-- OhHiMark
Source: StackOverflow