I have inherited management of a server running MDwiki on Ubuntu 16.04. There is a section of the wiki that is protected using oauth2-proxy (verion 2.x) that uses gitlab-ce as the authenticator via auth_request. We migrated gitlab and the wiki to a new server running Ubuntu 20.04, and installed the newest version of oauth2-proxy (version 6.x). I think oauth2-proxy is doing mostly everything correctly, because upon navigating to the protected section of the wiki, I get kicked to a oauth2 page with a single link to the gitlab sign-in page, where, upon signing in, I get a "500 internal server error" and a link is on that page with text "Sign In" that points to "our.server.url/oauth2/sign_in". This is all done in a private browser window, by the way. -- So, at this point, if I open a new tab, and try to navigate to the protected section of the wiki again, I first get sent to the oauth2 page with the link to sign in to gitlab. But in contrast this time, I don't get asked to login to gitlab after clicking the link. I get sent straight to the "500 Internal Sever error" page. This behavior makes me think that the cookie is correctly recognizing I'm signed in already. I can also open our gitlab instance without being asked to login in another new tab.
If anyone has any ideas on how to fix this, or where I should go to request assistance, please let me know. I'm including the systemctl status output for oauth2-proxy. The oauth subreddit is not for technical assistance, apparently, so not sure I should ask there, besides, I'm not sure if the problem is there or with my nginx config, which I'm also including. I've sanitized the files from what I think is necessary. Please let me know if it looks like something is missing, or if something else should also be removed.

$ sudo systemctl status oauth2-proxy.service ● oauth2-proxy.service - oauth2-proxy daemon service Loaded: loaded (/etc/systemd/system/oauth2-proxy.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-01-07 22:48:52 MST; 1 weeks 3 days ago Main PID: 9075 (oauth2-proxy) Tasks: 9 (limit: 9487) Memory: 6.4M CGroup: /system.slice/oauth2-proxy.service └─9075 /opt/oauth2-proxy/oauth2-proxy --config=/etc/oauth2-proxy.cfg Jan 18 10:19:22 ourhostname oauth2-proxy[9075]: 127.0.0.1:50188 - - [2021/01/18 10:19:22] our.server.url GET - "/oauth2/sign_in" HTTP/1.0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" 200 2633 0.001 Jan 18 10:19:23 ourhostname oauth2-proxy[9075]: 127.0.0.1:50192 - - [2021/01/18 10:19:23] our.server.url GET - "/oauth2/start?rd=%2Fwiki%2Fprotected%2F" HTTP/1.0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" 302 360 0.000 Jan 18 10:19:23 ourhostname oauth2-proxy[9075]: [2021/01/18 10:19:23] [logger.go:508] Error redeeming code during OAuth2 callback: failed to retrieve user info: error getting user info: unexpected status "404":  Jan 18 10:19:23 ourhostname oauth2-proxy[9075]:  Jan 18 10:19:23 ourhostname oauth2-proxy[9075]:  Jan 18 10:19:23 ourhostname oauth2-proxy[9075]: 
404 Not Found Jan 18 10:19:23 ourhostname oauth2-proxy[9075]: 
nginx Jan 18 10:19:23 ourhostname oauth2-proxy[9075]:  Jan 18 10:19:23 ourhostname oauth2-proxy[9075]:  Jan 18 10:19:23 ourhostname oauth2-proxy[9075]: 127.0.0.1:50194 - - [2021/01/18 10:19:23] our.server.url GET - "/oauth2/callback?code=alpha123456789numeric&state=alpha123456789numeric%3A%2Fwiki%2Fprotected%2F" HTTP/1.0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" 500 345 0.083 

I should say, I removed the most sensitive data and briefly disabled the auth_request, retaining just the "alias" line in the protected location, and the webpage worked just fine. Re-enabled it all again, and behavior persists. I think maybe the handoff is not working properly.

# Created by: REDACTED # Date: 1 Dec 2017 # Modified from https://gitlab.com/gitlab-org/gitlab-recipes/blob/masteweb-servenginx/gitlab-omnibus-ssl-nginx.conf # # ---- # # Modified 2020-10-23 by REDACTED # # Reason for modification: # Upgrade to new Ubuntu 20.04 LTS based server # # ====================================== upstream gitlab-workhorse { server unix:/vaopt/gitlab/gitlab-workhorse/sockets/socket; } upstream webhook { server unix:/home/wiki/whook/wh.sock; } upstream oauth2_proxy { server localhost:4180; } server { listen 0.0.0.0:80; listen [::]:80; server_name our.server.url; server_tokens off; return 301 https://$http_host$request_uri; # redirect to https } server { listen 0.0.0.0:443 ssl default_server; listen [::]:443 ssl default_server; server_name our.server.url; server_tokens off; root /vawww/html; ssl_certificate /path/to/cert.crt; ssl_certificate_key /path/to/key.key; add_header Strict-Transport-Security max-age=2592000; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; index index.html; } location /gitlab { root /opt/gitlab/embedded/service/gitlab-rails/public; access_log /valog/nginx/gitlab_access.log; error_log /valog/nginx/gitlab_error.log; client_max_body_size 0; gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://gitlab-workhorse; } location /oauth2/ { proxy_pass http://oauth2_proxy; # proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; } location = /oauth2/auth { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body proxy_set_header Content-Length ""; proxy_pass_request_body off; } location /wiki { alias /vawww/wiki/public/; } location /wiki/protected { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in; # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag # auth_request_set $user $upstream_http_x_auth_request_user; # auth_request_set $email $upstream_http_x_auth_request_email; # proxy_set_header X-User $user; # proxy_set_header X-Email $email; # if you enabled --pass-access-token, this will pass the token to the backend # auth_request_set $token $upstream_http_x_auth_request_access_token; # proxy_set_header X-Access-Token $token; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb # limit and so the OAuth2 Proxy splits these into multiple parts. # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; # Extract the Cookie attributes from the first Set-Cookie header and append them # to the second part ($upstream_cookie_* variables only contain the raw cookie content) if ($auth_cookie ~* "(; .*)") { set $auth_cookie_name_0 $auth_cookie; set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; } # Send both Set-Cookie headers now if there was a second part if ($auth_cookie_name_upstream_1) { add_header Set-Cookie $auth_cookie_name_0; add_header Set-Cookie $auth_cookie_name_1; } # proxy_pass http://backend/; # or "root /path/to/site;" or "fastcgi_pass ..." etc alias /vawww/wiki/protected/; } location /wiki/webhook { include uwsgi_params; uwsgi_pass webhook; } }