After upgrading to v3, I noticed that some of my pages, running behind oauth2-proxy in combination with ingress-nginx were experiencing strange problems. API calls would fail, some things wouldn't be rendered correctly.

After manually calling the sign-in URL from oauth2-proxy it worked again.

When I started to investigate, I realised that the problem was that the defaultbacked for ingress-nginx was called and returned a error code 200, when oauth2-proxy returned a 401, which should trigger a redirect to the sign-in URL.

As a result various pages, that were considered protected by oauth2-proxy were exposed to the public web.

This is not a security vulnerability in either of the projects, but an easy mistake to make when following official documentation, like here: https://kubernetes.github.io/ingress-nginx/user-guide/custom-errors/ (even stating that changing the error codes is bad)

In combination with: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/#overview

As a workaround, I highly recommend anyone using these error-pages to change the parameters of this image. When using the ingress-nginx helm chart it would look like this, with the focus on extraEnvs:

defaultBackend:
  enabled: true
  image:
    repository: ghcr.io/tarampampam/error-pages
    tag: 3.3.2
  extraEnvs:
    - name: SEND_SAME_HTTP_CODE
      value: "true"

What would I like to discuss: Is changing the HTTP code by default maybe a bad idea?