NGINX背后的.Net内核在通过IdentityServer 4身份验证后返回502坏网关
拥有两个应用程序auth和store,并使用IdentityServer4进行身份验证,这两个应用程序都支持NGINX store应用程序成功地进行了身份验证,但从auth应用程序返回后,我们从NGINX获得了502坏网关 知道这里出了什么问题吗 验证应用程序日志:NGINX背后的.Net内核在通过IdentityServer 4身份验证后返回502坏网关,nginx,.net-core,identityserver4,kestrel-http-server,Nginx,.net Core,Identityserver4,Kestrel Http Server,拥有两个应用程序auth和store,并使用IdentityServer4进行身份验证,这两个应用程序都支持NGINX store应用程序成功地进行了身份验证,但从auth应用程序返回后,我们从NGINX获得了502坏网关 知道这里出了什么问题吗 验证应用程序日志: info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2] Request finished in 117.7292ms 200 text/html; charset=U
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 117.7292ms 200 text/html; charset=UTF-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.0 POST http://auth.example.com/connect/token application/x-www-form-urlencoded 279
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
info: IdentityServer4.Validation.TokenRequestValidator[0]
Token request validation success
{
"ClientId": "ExampleStore",
"ClientName": "Example Web Store",
"GrantType": "authorization_code",
"AuthorizationCode": "6fab1723...",
"Raw": {
"client_id": "ExampleStore",
"client_secret": "***REDACTED***",
"code": "6fab1723...",
"grant_type": "authorization_code",
"redirect_uri": "https://store.example.com/signin-oidc"
}
}
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 182.8022ms 200 application/json; charset=UTF-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.0 GET http://auth.example.com/connect/userinfo
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
info: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Profile service returned to the following claim types: sub preferred_username name
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 57.1394ms 200 application/json; charset=UTF-8
商店应用程序日志:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: oidc was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action Nihonto.Web.Store.Controllers.UserController.Login (Nihonto.Web.Store) in 8.1968ms
info: Microsoft.AspNetCore.ResponseCaching.ResponseCachingMiddleware[27]
The response could not be cached for this request.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 11.2816ms 302
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.0 POST http://store.example.com/signin-oidc application/x-www-form-urlencoded 1485
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10]
AuthenticationScheme: ExampleCookie signed in.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 301.361ms 302
有关此问题的更多信息,请参见此处:问题已解决。NGINX似乎不允许大标题内容。在此帮助中,我们设置了以下属性: nginx.conf
http{
...
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
large_client_header_buffers 4 16k;
...
}
default.conf
location /{
...
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
...
}
想知道是否有任何方法可以配置IdentityServer以发送更小的标题内容 还可以配置注释:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
因此,您可以将它们添加到现有的ingress.yaml中,例如:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-production
namespace: ingress-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
certmanager.k8s.io/issuer: "letsencrypt-production"
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: example-app
servicePort: 80
NGINX中的默认设置对于标头大小来说很小。即使是很长的查询URL也会引起同样的问题。@Guerrilla,我知道。但是我们怎样才能解决它呢?有什么建议吗?这只是安装NGINX时需要更改的内容之一。我这样做的方式是,我有自己的基本conf文件,其中包含缓存规则和安全性,并将它们作为起点。根据您管理服务器的方式,您可能希望查看配置脚本。您是否在Azure中使用应用程序网关托管此脚本?在这种情况下,您是如何设置这些属性的?@peco否,它在Ubuntu服务器上。是的,注释工作得非常完美。这看起来是一个很好的解决方案,在Kubernetes环境中使用Helm部署nginx时效果也很好。