rabbitmq ui behind oauth2_proxy in kubernetes

265 views
Skip to first unread message

rodrigo

unread,
Apr 24, 2019, 4:58:15 PM4/24/19
to rabbitmq-users
Hello,

We have rabbitmq deployed on Kubernetes and the management ui exposed via nginx-ingress controller using basic-auth. Everything works well! The user enters the url, say: https://myrabbitmq.domain.com, receives the popup screen for basic-auth, enters credentials and is presented with the RabbitMQ UI Login page https://myrabbitmq.domain.com/#/

Then, we introduced oauth by using oauth2_proxy so users can get to https://myrabbitmq.domain.com url to access the RabbitMQ UI. The problem we are facing is that after the user enters the oauth credentials (using google) the redirect to the RabbitMQ UI for some reason is missing a / (forward-slash) causing the url to be https://myrabbitmq.domain.com/# instead of https://myrabbitmq.domain.com/#/, which causes the UI to malfunction. If we reload the url https://myrabbitmq.domain.com or correct it by adding the extra / to the https://myrabbitmq.domain.com/#/ everything works. Similarly, if we close the browser and reopen the base url https://myrabbitmq.domain.com everything works fine.

So in summary, the problem is that RabbitMQ UI javascript adds #/ to the url but the last / is missing in the first time the oauth flow is executed. This is the ingress file:


apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rabbitmq-ingress
namespace: default
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
auth_request_set $name_upstream_1 $upstream_cookie_name_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}

spec:
rules:
http:
paths:
- backend:
serviceName: rabbitmq
servicePort: 15672
tls:
- secretName: my-tls
hosts:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rabbitmq-ingress-api
namespace: default
annotations:
spec:
rules:
http:
paths:
- backend:
serviceName: rabbitmq
servicePort: 15672
path: /api
tls:
- secretName: my-tls
hosts:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rabbitmq-ingress-oauth2-proxy
namespace: default
annotations:
spec:
rules:
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: http-port
path: /oauth2
tls:
- secretName: my-tls
hosts:


Please let me know if you have any questions and thanks in advance for any comments/suggestions.

Thanks!
Rodrigo

Michael Klishin

unread,
May 13, 2019, 5:18:15 PM5/13/19
to rabbitmq-users
It sounds like a Kubernetes/OAuth 2 flow/Web browser behavior question to me, not something RabbitMQ management UI causes.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Vincent Fiset

unread,
Jan 3, 2020, 10:30:30 AM1/3/20
to rabbitmq-users
Hi, how did you end up solving this issue ? thanks
Reply all
Reply to author
Forward
0 new messages