NGINX背后的.Net内核在通过IdentityServer 4身份验证后返回502坏网关_Nginx_.net Core_Identityserver4_Kestrel Http Server

NGINX背后的.Net内核在通过IdentityServer 4身份验证后返回502坏网关

nginx .net-core identityserver4

NGINX背后的.Net内核在通过IdentityServer 4身份验证后返回502坏网关,nginx,.net-core,identityserver4,kestrel-http-server,Nginx,.net Core,Identityserver4,Kestrel Http Server,拥有两个应用程序auth和store，并使用IdentityServer4进行身份验证，这两个应用程序都支持NGINX store应用程序成功地进行了身份验证，但从auth应用程序返回后，我们从NGINX获得了502坏网关知道这里出了什么问题吗验证应用程序日志： info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2] Request finished in 117.7292ms 200 text/html; charset=U

拥有两个应用程序auth和store，并使用IdentityServer4进行身份验证，这两个应用程序都支持NGINX

store应用程序成功地进行了身份验证，但从auth应用程序返回后，我们从NGINX获得了502坏网关

知道这里出了什么问题吗

验证应用程序日志：

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 117.7292ms 200 text/html; charset=UTF-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.0 POST http://auth.example.com/connect/token application/x-www-form-urlencoded 279
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
info: IdentityServer4.Validation.TokenRequestValidator[0]
      Token request validation success
      {
        "ClientId": "ExampleStore",
        "ClientName": "Example Web Store",
        "GrantType": "authorization_code",
        "AuthorizationCode": "6fab1723...",
        "Raw": {
          "client_id": "ExampleStore",
          "client_secret": "***REDACTED***",
          "code": "6fab1723...",
          "grant_type": "authorization_code",
          "redirect_uri": "https://store.example.com/signin-oidc"
        }
      }
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 182.8022ms 200 application/json; charset=UTF-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.0 GET http://auth.example.com/connect/userinfo
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
info: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
      Profile service returned to the following claim types: sub preferred_username name
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 57.1394ms 200 application/json; charset=UTF-8

商店应用程序日志：

info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
      Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
      Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
      AuthenticationScheme: oidc was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action Nihonto.Web.Store.Controllers.UserController.Login (Nihonto.Web.Store) in 8.1968ms
info: Microsoft.AspNetCore.ResponseCaching.ResponseCachingMiddleware[27]
      The response could not be cached for this request.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 11.2816ms 302
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.0 POST http://store.example.com/signin-oidc application/x-www-form-urlencoded 1485
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10]
      AuthenticationScheme: ExampleCookie signed in.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 301.361ms 302

有关此问题的更多信息，请参见此处：

问题已解决。NGINX似乎不允许大标题内容。在此帮助中，我们设置了以下属性：

nginx.conf

http{
...
proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
large_client_header_buffers 4 16k;
...
}

default.conf

location /{
    ...
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
    ...
}

想知道是否有任何方法可以配置IdentityServer以发送更小的标题内容

还可以配置注释：

  annotations:
    kubernetes.io/ingress.class: "nginx"    
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"

因此，您可以将它们添加到现有的ingress.yaml中，例如：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-production
  namespace: ingress-nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    certmanager.k8s.io/issuer: "letsencrypt-production"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: example-app
          servicePort: 80

NGINX中的默认设置对于标头大小来说很小。即使是很长的查询URL也会引起同样的问题。@Guerrilla，我知道。但是我们怎样才能解决它呢？有什么建议吗？这只是安装NGINX时需要更改的内容之一。我这样做的方式是，我有自己的基本conf文件，其中包含缓存规则和安全性，并将它们作为起点。根据您管理服务器的方式，您可能希望查看配置脚本。您是否在Azure中使用应用程序网关托管此脚本？在这种情况下，您是如何设置这些属性的？@peco否，它在Ubuntu服务器上。是的，注释工作得非常完美。这看起来是一个很好的解决方案，在Kubernetes环境中使用Helm部署nginx时效果也很好。