Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Frequent 400 Bad Request #586

Open
jseiser opened this issue Dec 11, 2024 · 5 comments
Open

Frequent 400 Bad Request #586

jseiser opened this issue Dec 11, 2024 · 5 comments

Comments

@jseiser
Copy link

jseiser commented Dec 11, 2024

Describe the problem

Provider: Okta

Vouch protected sites will return multiple
400 Bad Request

x-vouch-error /auth Invalid session state: stored %!s(<nil>), returned o3cS6I84ssMKwdvrZ88HIg1poO4dq0K

or when test is disabled

x-vouch-error /auth securecookie: the value is not valid: could not find session store VouchSession

If you retry a few times, you will eventually get through to the protected site.

Expected behavior
I would expect to pass through to the site every time.

Desktop (please complete the following information):

  • OS: Linux, Mac
  • Browser Firefox
  • Version 133.0.3

Additional context

Vouch runs in kubernetes, with nginx ingress handling the various routing.

here are debug logs, with test true. I got the 400, then on the second time, got through to my app.

https://gist.github.com/jseiser/78a1efafeff05621c3d47b62adcd9f78

My ENV Vars look like this

https://gist.github.com/jseiser/eb994613a32aeca80730edaf44a5ff80

NGINX Config

https://gist.github.com/jseiser/eff62e17c6f0064c73ffc86798975237

Ingress

https://gist.github.com/jseiser/d76815dda8c1f019ece3532275804eb3

@bnfinet
Copy link
Member

bnfinet commented Dec 11, 2024

@jseiser these logs don't show any requests for a session start initiated by /validate and then going through the /login endpoint. /login in particular is important since that's where the nonce/cookie is set in support of the OAuth login round trip back to /auth. Are these complete logs?

your nginx config would be helpful as well.

please consult the README and adjust as necessary.

@jseiser
Copy link
Author

jseiser commented Dec 11, 2024

please consult the README and adjust as necessary.

I thought i did, sorry.

The original post now contains the nginx config. ill try to figure out what you want for those logs, and get that attached

@bnfinet
Copy link
Member

bnfinet commented Dec 11, 2024

That is a fascinating nginx config! I think I'm learning a few things picking through that.

There's certainly a lot going on there. Did you evaluate VP with a simpler setup? If you test with a simpler nginx and VP setup does the behavior improve? With rate limiting, lua and modsecurity all in the mix I can't help but wonder if there's some conflict on the nginx side.

That said, I'm happy to look at your logs when you're able to offer them.

@jseiser
Copy link
Author

jseiser commented Dec 11, 2024

Even before this site went live, so a much more basic config, same issues.

I can remove the rate limiting, but thats a really high limit. The mod security is running in SecRuleEngine DetectionOnly so its not actually doing anything, but generating a log when it would detect something.

Of course, when i turn on test mode, it works a hell of a lot more often, then when i disable it. So I will def. remove the rate limit just in case.

All of the lua stuff you see, is just default from the nginx-ingress, nothing special done on our side.

edit: no change with the RPS disabled.

@jseiser
Copy link
Author

jseiser commented Dec 11, 2024

@bnfinet

https://gist.github.com/jseiser/a421b91492fad7c5b880a85335c10360

I know its not debug/test enabled, but i was able to find a log that showed /validate and /login that resulted in not being able to access the UI.

Sorry for being dense, but if i enable test mode, can you elaborate on what you want me to click on? /validate, and /login and then the next URL present for the redirect?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants