1

I am using nginx-ingress in my cluster to expose certain services. I have an "auth" service that handles authentication, which I am trying to setup through nginx. Currently the service has a very simple GET endpoint, that always responds with a UserId header and tries to set two cookies:

// This is implemented on Nest.js which uses express.js

@Get('*')
auth(@Res() res: Response): void {
  res.header('UserId', '1')

  res.cookie('key', 'value')
  res.cookie('x', 'y')

  res.status(200).send('hello')
}

I can confirm that both cookies are being set when I manually send a request to that endpoint, but when I set it as an annotation to the ingress:

nginx.ingress.kubernetes.io/auth-url: http://auth.dev.svc.cluster.local

and send a request through the ingress, only one of the cookies is forwarded to the Response (the first one key=value). I am not familiar with the nginx configuration, is there something I am supposed to change to make this work, so that both cookies are set?

I found this issue on GitHub, but it seems to be about OAuth2 there is no clear explanation on what I am supposed to change.

yisog
  • 61
  • 7

1 Answers1

1

I couldn't find a way to make this work with the Set-Cookie header. Not sure if there is a better way, but here is a workaround:

I added a snippet for the location block that converts two headers to cookies:

nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set    $auth_cookie1 $upstream_http_x_header1;
  auth_request_set    $auth_cookie2 $upstream_http_x_header2;
  add_header          Set-Cookie $auth_cookie1;
  add_header          Set-Cookie $auth_cookie2;

And the auth() endpoint now responds with the X-Header1 and X-Header2 headers:

import { serialize } from 'cookie'

@Get('*')
auth(@Res() res: Response): void {
  res.header('UserId', '1')

  res.header('X-Header1', serialize('key', 'value'))
  res.header('X-Header2', serialize('x', 'y'))

  res.status(200).send('hello')
}

Everything seems to be working well and this solution is similar to how nginx is adding the Set-Cookie header which doesn't support multiple cookies. The code below is copied from the nginx.conf file in the nginx-controller pod that nginx-ingress creates.

auth_request_set    $auth_cookie $upstream_http_set_cookie;
add_header          Set-Cookie $auth_cookie;
yisog
  • 61
  • 7
  • This does not work and has never been properly implemented in nginx, even with 1.25 this does not work. IMHO the only way right now is using LUA, see answer in https://stackoverflow.com/a/69860918/3625317 - limitations are you need lua and it is yet http/1 compatible only – Eugen Mayer Jul 09 '23 at 09:09