500 error while Running pomerium-helm on eks behind NLB

sgk · April 20, 2022, 4:56pm

What happened?

After creating a tunnel using

$ pomerium-cli tcp  worker1-iap.orgdomain.io:22
listening on 127.0.0.1:34523
error serving local connection: invalid http response code: 500

from a second terminal, while sshing its throwing 500

$ssh suser@localhost -p 34523

This is the corresponding log from pomerium-proxy pod

{"level":"info","service":"envoy","upstream-cluster":"","method":"CONNECT","authority":"worker1-iap.orgdomain.io:22","path":"","user-agent":"Go-http-client/1.1","referer":"","forwarded-for":"10.0.0.198","request-id":"ff1f4271-7603-457e-b70f-458dd749d2a3","duration":0.352889,"size":0,"response-code":500,"response-code-details":"ext_authz_error","time":"2022-04-20T16:39:12Z","message":"http-request"}

What did you expect to happen?

it to open auth page on browser and redirect after login

How’d it happen?

I am running pomerium-helm without TLS on eks and exposing it via NLB.
TLS termination happens at NLB and it forwards to http port of service.

What’s your environment like?

Pomerium version (retrieve with pomerium --version):
image: pomerium/pomerium:v0.17.1
Server Operating System/Architecture/Cloud:
helm.sh/chart: pomerium-31.1.3

What’s your config.yaml?

config:
  rootDomain: Orgdomain.io
  address: :80
  insecure: true
  grpc_address: :80
  insecure_server: true
  insecureProxy: true
  ingressController: false
  shared_secret: XXXXXXXXXXXXXXXXXXXXXX=
  cookie_secret: XXXXXXXXXXXXXXXXXXXX=
  routes:
    - from: tcp+https://worker1-iap.orgdomain.io:22
      to: tcp://10.0.105.253:22
      allowed_domains:
        - orgdomain.io
    - from: tcp+https://worker2-iap.orgdomain.io:22
      to: tcp://10.0.105.252:22
      allowed_domains:
        - orgdomain.io

What did you see in the logs?

{"level":"info","service":"envoy","upstream-cluster":"","method":"CONNECT","authority":"worker1-iap.orgdomain.io:22","path":"","user-agent":"Go-http-client/1.1","referer":"","forwarded-for":"10.0.0.198","request-id":"ff1f4271-7603-457e-b70f-458dd749d2a3","duration":0.352889,"size":0,"response-code":500,"response-code-details":"ext_authz_error","time":"2022-04-20T16:39:12Z","message":"http-request"}

Could someone help me to understand what is happening here?

denis · April 21, 2022, 2:51pm

do you have IdP set up?
do any of the HTTP-only routes work ?
there must be an additional info from authorize service elaborating the reason for rejection

sgk · April 22, 2022, 7:16am

Yes I’ve configured google IdP,
authenticate endpoint is tested to work by exposing as ingress endpoint

not getting any log on authorize side while this errors out on proxy side

denis · April 25, 2022, 7:05pm

do any of the HTTP-only routes work?

sgk · May 4, 2022, 5:32am

yes, the exposed authenticate endpoint worked fine

denis · May 6, 2022, 9:27pm

there must be a corresponding error in authorize pod with further details
Normally you should have your browser open, note there is a browser-cmd option if there’s an issue with your default browser opening command.
is your certificate chain trusted on the machine you’re running pomerium-cli? try disable-tls-verification option.

Topic		Replies	Views
Upstream connect error with Pomerium Ingress Controller Support k8s	2	365	December 21, 2021
Pomerium upgrade from v0.20.0 to v0.22.0 grpc check ext_authz_error Support	1	404	November 14, 2023
Proxy Protocol Causing Issues with Non-HTTPS Requests Support	3	10	December 19, 2024
Getting connection_failure errors Support	12	1519	March 23, 2022
Exec pomerium-cli proxy got 421 error Support	2	282	June 23, 2022