I'm in trouble trying to use Blazor Server with authentication.
Running the application with authentication in the k8s cluster:
And I proxied the request using Fiddler:
And the log from nginx:
2024/06/06 18:34:13 [error] 15002#15002: *83248839 upstream timed out (110: Operation timed out) while reading response header from upstream, client: 172.29.1.184, server: abc-powerapps-ondemand-web.dev.hbsa.com.br, request: "GET /_blazor?id=oS-BQBM6lnriZo-UZFmKsA&_=1717698793158 HTTP/2.0", upstream: "http://172.29.2.44:8080/_blazor?id=oS-BQBM6lnriZo-UZFmKsA&_=1717698793158", host: "abc-powerapps-ondemand-web.dev.hbsa.com.br", referrer: "https://abc-powerapps-ondemand-web.dev.hbsa.com.br/"But a I have another app without authentication and It works as expected:
It is the same case as this one in StackOverflow: .NET 6 | C# | Blazor Server websocket connection failed after openid auth
I'm using WebScokets transport only:
<script src="_framework/blazor.web.js" autostart="false"></script><script> Blazor.start({ circuit: { configureSignalR: function (builder) { builder.withUrl("_blazor", { skipNegotiation: true, transport: 1 }) } } });</script>But I have already configured the annotions
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: annotations: cert-manager.io/cluster-issuer: letsencrypt meta.helm.sh/release-name: abc-powerapps-ondemand-web meta.helm.sh/release-namespace: abc nginx.ingress.kubernetes.io/client-max-body-size: 100M nginx.ingress.kubernetes.io/large-client-header-buffers: 16 5M nginx.ingress.kubernetes.io/proxy-body-size: 50M nginx.ingress.kubernetes.io/proxy-buffer-size: 5M nginx.ingress.kubernetes.io/proxy-buffers: 8 5MI used big values to make sure it would be work rs
But it does not work :(
Does it has any other configuration do add ?
So, I tried it locally using nginx to try to figure out:
nginx.conf
http { server { listen 80; listen [::]:80; server_name localhost; proxy_buffers 8 128k; proxy_buffer_size 32k; large_client_header_buffers 16 128k; location / { proxy_pass http://app:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }}docker-compose.yml:
version: '3'services: app: image: web environment: - ASPNETCORE_ENVIRONMENT=Development - OTEL_SERVICE_NAME=abc-powerapps-ondemand-web app2: image: web2 environment: - ASPNETCORE_ENVIRONMENT=Development ports: - "8082:8080" nginx: image: nginx ports: - "80:80" volumes: - ./nginx.conf:/etc/nginx/nginx.conf depends_on: - appAnd it work as expected. The same application
Follow the complete configuration generated from Ingress:
server { server_name abc-powerapps-ondemand-web.dev.hbsa.com.br ; listen 80 ; listen [::]:80 ; listen 443 ssl http2 ; listen [::]:443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } location / { set $namespace "abc"; set $ingress_name "abc-powerapps-ondemand-web"; set $service_name "abc-powerapps-ondemand-web"; set $service_port "8080"; set $location_path "/"; set $global_rate_limit_exceeding n; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, preserve_trailing_slash = false, use_port_in_redirects = false, global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { plugins.run() } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "abc-abc-powerapps-ondemand-web-8080"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_body_size 50M; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Scheme $pass_access_scheme; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 360s; proxy_send_timeout 3600s; proxy_read_timeout 3600s; proxy_buffering off; proxy_buffer_size 5M; proxy_buffers 4 5M; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; proxy_pass http://upstream_balancer; proxy_redirect off; } }