Use Redis as cache instead of cookie

[Apohg]

Hello,

I would use this plugin with Redis storage cache for session instead of cookie (because we want to keep this information in server side).

I'm not sure what are the steps to do this? I have not big development skills. Is it just matter of set some vars to modify the plugin behavior to use redis, or does it require lua modifications at the level of the lua-resty-session?

If someone have an idea on how to do this.

Thank you for reading! Apogh

[Trojan295]

The lua-resty-session library, which is used here supports such things, although the configuration options are not possible through Kong API and you would need to configure this in the nginx config file.

I've never tried to configure this, but according to the lua-resty-session docs you have those parameters available to configure it:

set $session_storage redis;
set $session_redis_prefix        sessions;
set $session_redis_socket        unix:///var/run/redis/redis.sock;
set $session_redis_host          127.0.0.1;
set $session_redis_port          6379;
set $session_redis_auth          password;
set $session_redis_uselocking    on;
set $session_redis_spinlockwait  10000;
set $session_redis_maxlockwait   30;
set $session_redis_pool_timeout  45;
set $session_redis_pool_size     10;

I would try to set the session_storage, session_redis_host, session_redis_port (and session_redis_auth, if you have Redis authenticated) and see, if this works.

[Apohg]

Thank you for your answer.

Following the documentation (https://docs.konghq.com/0.14.x/configuration/#injecting-individual-nginx-directives), I'm trying to add these following vars in my kong.conf and then use kong reload but it seems it's not working

nginx_admin_session_storage=redis                                                          
nginx_admin_session_redis_prefix=sessions                                              
nginx_admin_session_redis_host=redis                                           
nginx_admin_session_redis_port=6379

I tried with nginx_proxy_ and nginx_http_ (instead of nginx_admin_) but it's the same. Not sure if 'im just using it bad. I have no information in the logs. Maybe I should ask on lua-resty-session github if you have no idea too.

[Apohg]

I finally succeeded to register in Redis!

If that can be useful for someone : I created a file with these informations :

set $session_storage             redis;
set $session_redis_prefix        sessions;
set $session_redis_host          redis;
set $session_redis_port          6379;

And then used it with the proxy include var:

export KONG_NGINX_PROXY_INCLUDE="/etc/kong/nginx-redis.kong.conf"

finaly I have some informations in Redis :

127.0.0.1:6379> keys *
1) "sessions:F9vsdcur1d5riePQlGRRoA.."
2) "sessions:r7X3e_uGxCXxQ8hD7nsoGA.."

So I guess what I can find here correspond to the step "Store AT, ID token and refresh token" on the diagram? I'm not sure what we can find exactly in that sessions key. Are these informations encrypted?

Thank you I guess case can be closed after your next answer :)

[Trojan295]

Yes, they are encrypted using a symmetric cipher. As far as I remember the key is created from information like the user-agent, client IP and the sessions secret. So every user session has a different encryption key.

[larsw]

Just FYI for other people that reads this issue later: https://github.com/Revomatico/docker-kong-oidc/blob/master/Dockerfile shows how to wire up memcache for session management, this can probably be tuned for redis as well.

[satishmane]

@larsw Hi, I was getting error like no session state found. Hence I tried your above docker with session state in memcache. Now I get error as below Kong Error Request Header Or Cookie Too Large. I tried clearing browser cache etc., but no luck. Can you please help thanks

[larsw]

@satishmane sorry, I have no experience with it, apart from finding the referenced Dockerfile. I've successfully wired up the redis session store, based on the structure though.

[Trojan295]

@satishmane, this could be related to your HTTP server configuration. There is a limit of the maximum header size. For ex. in nginx: https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers

For nginx (which Kong is based on) it's 4 KB by default. If you have many applications on one domain and each is adding some data to the cookie header, then it can become quite large. Try to reduce it's size or change this config in your HTTP server.

[satishmane]

@Trojan295 thanks. I supplied below params to my docker and it did resolve too large header issue. --env KONG_NGINX_PROXY_LARGE_CLIENT_HEADER_BUFFERS="16 128k"

But it started at next stage with error as "bad gateway". Kong error log shows below error

2019/02/24 07:54:08 [error] 35#0: *1225 upstream prematurely closed connection while reading response header from upstream, client:

I supplied below params as proposed on this link (https://andrewlock.net/fixing-nginx-upstream-sent-too-big-header-error-when-running-an-ingress-controller-in-kubernetes/ and https://github.com/ncarlier/kong-integration-samples/issues/4), but did not help to solve above error --env KONG_NGINX_PROXY_PROXY_BUFFER_SIZE=128k --env KONG_NGINX_PROXY_PROXY_BUFFERS="8 128k"

[sandeepmachiraju]

I finally succeeded to register in Redis!

If that can be useful for someone : I created a file with these informations :

set $session_storage             redis;
set $session_redis_prefix        sessions;
set $session_redis_host          redis;
set $session_redis_port          6379;

And then used it with the proxy include var:

export KONG_NGINX_PROXY_INCLUDE="/etc/kong/nginx-redis.kong.conf"

finaly I have some informations in Redis :

127.0.0.1:6379> keys *
1) "sessions:F9vsdcur1d5riePQlGRRoA.."
2) "sessions:r7X3e_uGxCXxQ8hD7nsoGA.."

So I guess what I can find here correspond to the step "Store AT, ID token and refresh token" on the diagram? I'm not sure what we can find exactly in that sessions key. Are these informations encrypted?

Thank you I guess case can be closed after your next answer :)

Thanks for providing the information. I would like to try this out. But before that, I have a quick question: If the session, session_2 are stored in Redis, what will be sent to the browser? Is it a pointer to those cookies that will be sent? So that the lookup will happen for each request based on the pointer?

Sorry for re-opening the discussion on this closed issue.