proxy_pass - missing images on first load

[danie-dejager]

I've configured openresty and this module to redirect web traffic for websites that do not natively support MFA/SSO. I use keycloak as the idp.

It works well enough except for a strange issue with the loading of the site once authorized.

Not all the site's assets loads the first time. images or css will be missing. Reloading the site will then display it more correctly until the site displays 100%. Usually around 5 refreshes. During these I see internal server errors in openresty logs.

I've played around with different cache settings but nothing seems to work out for me. At this stage I'm not even sure where the issue is. Either with openresty, the oidc module or my configuration.

lua-resty-openidc config for / and /callback:

        access_by_lua_block {
            local session = require("resty.session").start{
                name      = ngx.var.session_cookie_name,
                secret    = ngx.var.session_secret,
                cookie    = {
                    persistent  = true,
                    lifetime    = tonumber(ngx.var.session_cookie_lifetime),
                    same_site   = "Lax",
                    secure      = true,
                    httponly    = true,
                    remember    = true
                },
                storage = "shm"
            }

            local opts = {
                redirect_uri_path = "/callback",
                discovery         = "https://idp.example.com/realms/master/.well-known/openid-configuration",
                client_id         = "redirect",
                client_secret     = "xxx",
                scope             = "openid email profile",
                session_contents  = { id_token = true },
                unauth_action     = "auth",
                session           = session
            }

            local res, err = require("resty.openidc").authenticate(opts)
            if err then
                ngx.status = 500
                ngx.say(err)
                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
            end

            ngx.ctx.auth_user = res.id_token.preferred_username
            ngx.ctx.session_state = res.session_state
        }

nginx proxy pass config:

        proxy_pass        https://target-domain.example.com/;
        proxy_cache       openresty_cache;
        proxy_set_header  Host $host;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
        add_header        X-Cache-Status $upstream_cache_status;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_buffering   on;
        proxy_buffers     16 16k;
        proxy_buffer_size 32k;

openresty nginx caching config:

    lua_shared_dict discovery   5m;
    lua_shared_dict jwks        5m;
    lua_shared_dict sessions    120m;

    resolver 10.10.0.17 ipv6=off;

    server_tokens off;

    client_body_buffer_size     2k;
    client_header_buffer_size   2k;
    client_max_body_size        2k;
    large_client_header_buffers 2 2k;