Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Decouple proxy_intercept_errors from custom-http-errors #9211

Open
simhnna opened this issue Oct 24, 2022 · 3 comments
Open

Feature request: Decouple proxy_intercept_errors from custom-http-errors #9211

simhnna opened this issue Oct 24, 2022 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@simhnna
Copy link

simhnna commented Oct 24, 2022

We're using external auth and would like to serve custom error pages to our users if external auth doesn't allow the request through.
We'd like to do this while letting the protected upstream services return their own error pages.

Here's the snippet for the error handling on locations

{{/* if a location-specific error override is set, add the proxy_intercept here */}}
{{ if $location.CustomHTTPErrors }}
# Custom error pages per ingress
proxy_intercept_errors on;
{{ end }}

{{ range $errCode := $location.CustomHTTPErrors }}
error_page {{ $errCode }} = @custom_{{ $location.DefaultBackendUpstreamName }}_{{ $errCode }};{{ end }}

You can't set customHttpErrors without also intercepting all errors. Note that the external auth subrequest apparently doesn't rely on proxy_intercept_errors but uses any defined error_page if available. This is how external auth signin url works.

Is there another way to define an error page for the failure responses of external auth (401, 403, 500) without intercepting the errors of the upstream services?
Currently it looks like our only option is to overwrite the nginx template.

So our proposed feature request: By default errors should be intercepted if you specify custom http errors, but you should be able to override that using something like nginx.ingress.kubernetes.io/proxy-intercept-errors: "off"
@simhnna simhnna added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 24, 2022
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 24, 2022
@k8s-ci-robot
Copy link
Contributor

@simhnna: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@simhnna simhnna mentioned this issue Oct 24, 2022
Closed
11 tasks
@simhnna
Copy link
Author

simhnna commented Oct 24, 2022

I'm happy to open a pull request if this is accepted

@simhnna
Copy link
Author

simhnna commented Dec 12, 2022

Turns out there is a pull request for this already. We're testing this internally but would have a couple of change requests #8435

@chriss-de chriss-de mentioned this issue Dec 15, 2022
Closed
11 tasks
@chriss-de chriss-de mentioned this issue Jan 10, 2023
Merged
11 tasks
@albgus albgus mentioned this issue Apr 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k8s-ci-robot @simhnna