Problem with Kubernetes-Cluster internal service URLs authentication

[ArminEberle]

Hi there,

we're running the emqx 4.2.12 Docker version (https://hub.docker.com/r/emqx/emqx) on a Kubernetes cluster. We do have the emqx_auth_http plugin running.

When I set the cluster-external DNS name of our auth-endpoint as AUTH_REQ url, everything works fine (this is an https-endpoint).

Currently the requests are handled with GET (we will switch to POST later).

But we would like to save time and instead of going over the kubernetes ingress (a reverse proxy which handles the external addresses) rather directly access our kubernetes auth-service directly on the cluster. This is an address in the form http://<service-name>.<service-namespace>/<url-path>

However, doing this fails authentication with a 401 in the log. But...:

1. No http-requests arrive at all at our auth-service
2. If I jump into the container, a wget -S http://<service-name>.<service-namespace>/<url-path>?<queryparams> just gives me a 200 fine result, as expected.

So I'm wondering:

A. Is it possible to switch on logging in a way such that the outgoing request are logged? B. May this be a DNS-resolution thing, Erlang possibly not doing the same DNS resolution steps as wget on the same machine? C. Or is there some restrictions built-in that just does not do GET requests for passwords over unencrypted HTTP?

Kind Regards,

Armin

[ArminEberle]

We have managed to resolve the problem by ourself, it was not in emqx auth http:

• we are using nodejs express in the authenticating backend, over HTTP-GET
• if not specially configured, express will eventually send a 304 Not Modified as response instead of 200 OK when requests are coming in repeatedly. 304 Not Modified is not a 200, so emqx http auth will reject authentication