Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

NGINX Ingress Controller 4.11.5 Not Forwarding Authorization Header Despite Configuration #13163

Closed
mezzinea opened this issue Apr 6, 2025 · 2 comments
Closed

NGINX Ingress Controller 4.11.5 Not Forwarding Authorization Header Despite Configuration #13163

mezzinea opened this issue Apr 6, 2025 · 2 comments
Labels
needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@mezzinea
Copy link

mezzinea commented Apr 6, 2025

Description
After upgrading from NGINX Ingress Controller 4.7.1 to 4.11.5, Basic Authentication headers are not being forwarded to the backend FastAPI application, despite explicit configuration. The headers work when NGINX auth is disabled.

Current Behavior

  • With auth annotations enabled, requests to backend return 401
  • $http_authorization appears empty in forwarded requests proxy_set_header Authorization ""; inside nginx.conf file
  • Works perfectly when removing NGINX auth annotations

Expected Behavior
NGINX should forward original Authorization header after performing its own authentication.

Reproduction Steps

  1. Apply this ingress configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret-type: auth-map
    nginx.ingress.kubernetes.io/auth-realm: Auth Required - ProfilesAPI
    nginx.ingress.kubernetes.io/auth-secret: ns/secret
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Authorization $http_authorization;
      proxy_pass_header Authorization;
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 6, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Apr 6, 2025
@mezzinea
Copy link
Author

mezzinea commented Apr 6, 2025

Snippet annotations are disabled by default in recent NGINX Ingress Controller versions for security reasons.
Solution : add allow-snippet-annotations: "true" to configMap

@mezzinea mezzinea closed this as completed Apr 6, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k8s-ci-robot @mezzinea