Skip to content

VP + Nginx getting 400 bad request when login and 400 bad request when auth #590

New issue
New issue
Open
Open
VP + Nginx getting 400 bad request when login and 400 bad request when auth#590
@ranmalka-cs

Description

@ranmalka-cs
ranmalka-cs
opened on Feb 12, 2025

Hi,

I am using the latest version of nginx + vouch

I configured that with the latest example, but when I am trying to get to https://vouch.mydomain.com/login /auth I am getting 400

config.yaml

# bare minimum to get vouch running with google

#testing: true
#logLevel: debug
vouch:
  #vouch.testing: true
  logLevel: debug
  #testing: true
  domains:
  - mydomain.com
  cookie:
    secure: true
    domain: mydomain.com

oauth:
  provider: google
  # get credentials from...
  # https://console.developers.google.com/apis/credentials
  client_id: XXXX
  client_secret: XXXXX
  callback_urls:
    - https://vouch.mydomain.com/auth
  preferredDomain: mydomain.com
  # endpoints set from https://godoc.org/golang.org/x/oauth2/google````

nginx.conf
`    server { 
        # Setting vouch behind SSL allows you to use the Secure flag for cookies.
        listen 443 ssl http2;
        server_name vouch.mydomain.com;

        ssl_certificate /etc/letsencrypt/live/wildcard.mydomain.com-cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/wildcard.mydomain.com-privkey.pem;

        location / {
        proxy_pass http://127.0.0.1:9090;
        # be sure to pass the original host header
        proxy_set_header Host $http_host;
        }
    }`''

`    server { #splunk
        listen 443 ssl http2;
        server_name splunk.mydomain.com;
        #root /var/www/html/;

        ssl_certificate /etc/letsencrypt/live/wildcard.mydomain.com-cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/wildcard.mydomain.com-privkey.pem;


        # send all requests to the `/validate` endpoint for authorization
        auth_request /validate;

        location = /validate {
        # forward the /validate request to Vouch Proxy
        proxy_pass http://127.0.0.1:9090/validate;

        # be sure to pass the original host header
        proxy_set_header Host $http_host;

        # Vouch Proxy only acts on the request headers
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

        # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
        auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

        # these return values are used by the @error401 call
        auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
        auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
        auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
        }

        # if validate returns `401 not authorized` then forward the request to the error401block
        error_page 401 = @error401;

        location @error401 {
            # redirect to Vouch Proxy for login
            return 302 https://vouch.mydomain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
        }

        # proxy pass authorized requests to your service
        location / {
        # forward authorized requests to your service protectedapp.yourdomain.com
        proxy_pass http://<ipaddress>:8000;
        # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
        #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
        #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;

        # set user header (usually an email)
        proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
        # optionally pass any custom claims you are tracking
        #     proxy_set_header X-Vouch-IdP-Claims-Groups $auth_resp_x_vouch_idp_claims_groups;
        #     proxy_set_header X-Vouch-IdP-Claims-Given_Name $auth_resp_x_vouch_idp_claims_given_name;
        # optionally pass the accesstoken or idtoken
        #     proxy_set_header X-Vouch-IdP-AccessToken $auth_resp_x_vouch_idp_accesstoken;
        #     proxy_set_header X-Vouch-IdP-IdToken $auth_resp_x_vouch_idp_idtoken;
        }
    }`


logs
`{"level":"debug","ts":1739350217.9365466,"msg":"/login callback_url set to https://vouch.mydomain.com/auth"}
{"level":"info","ts":1739350217.9366372,"msg":"|302|  282.953µs /login","statusCode":302,"request":6034,"latency":0.000282953,"avgLatency":0.000168353,"ipPort":"127.0.0.1:52312","method":"GET","host":"vouch.mydomain.com","path":"/login","referer":""}

{"level":"debug","ts":1739350472.9453218,"msg":"/auth"}
{"level":"warn","ts":1739350472.945402,"msg":"/auth: could not find state in query "}
{"level":"info","ts":1739350472.9455986,"msg":"|400|   228.47µs /auth","statusCode":400,"request":6721,"latency":0.00022847,"avgLatency":0.000253738,"ipPort":"127.0.0.1:48804","method":"GET","host":"vouch.mydomain.com","path":"/auth","referer":""}`

I would like to understand how I can solve it,
the issue occur when I trying to re-login to one of my apps,

for example here
`https://vouch.mydomain.com/login?url=https://splunk.mydomain.com$request_uri&vouch-failcount=&X-Vouch-Token=&error=`

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions