Description
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): waf, oauth2
Is this a BUG REPORT or FEATURE REQUEST? (choose one): Bug report
NGINX Ingress controller version: 0.9.0
Kubernetes version (use kubectl version): 1.8.2
Environment:
- Cloud provider or hardware configuration: Azure AKS
- OS (e.g. from /etc/os-release): Ubuntu (on nodes, managed master)
- Kernel (e.g.
uname -a): - Install tools:
- Others: Nginx Ingress Controller 0.9.0, bit.ly oauth2_proxy, Google Chorme, Mozilla Firefox, curl
The AKS cluster is configured with nginx-ingress v0.9.0, installed from the master branch with the manifests. The cluster also runs github.com/kubernetes-incubator/external-dns to register sub-domains and github.com/jetstack/kube-lego to obtain Let's Encrypt certificates. We have set up external-auth based on the example provided at github.com/kubernetes/ingress-nginx/tree/master/docs/examples/external-auth to authenticate with Azure AD. To screen malicious requests, we enabled the ModSecurity WAF with the standard OWASP rules and paranoia level 1.
What happened: Requests made over HTTP 2.0 to applications that are secured by oauth2_proxy do not receive requests when the WAF is enabled. The request just hangs until the connection times out. However, everything works normally over HTTP 1.1. The behavior is completely normal if the WAF is disabled.
| WAF | OAuth | HTTP | Does it work? |
|---|---|---|---|
| Enabled | Enabled | 1.1 | Yes |
| Disabled | Enabled | 1.1 | Yes |
| Enabled | Disabled | 1.1 | Yes |
| Disabled | Disabled | 1.1 | Yes |
| Enabled | Enabled | 2 | No |
| Disabled | Enabled | 2 | Yes |
| Enabled | Disabled | 2 | Yes |
| Disabled | Disabled | 2 | Yes |
What you expected to happen: Application receives requests after being filtered by the WAF and authenticated by oauth2_proxy, irrespective of HTTP protocol version. All traffic is over SSL/TLS until termination at the ingress controller.
How to reproduce it (as minimally and precisely as possible): Set up a Kubernetes cluster with Nginx Ingress Controller, TLS termination and Oauth2_proxy as an external auth provider. Enable Modsecurity WAF per documentation and attempt accessing application over HTTP2. Notice that the request hangs and stdout logs of the Nginx and Oauth2_proxy pods will print only when the connection terminates.
Anything else we need to know: HTTP 1.1 works without issue. HTTP2 fails when modsecurity WAF and external authentication with oauth2_proxy is enabled.