|
1 | 1 | # Enhancement Proposal-4051: Session Persistence for NGINX Plus and OSS |
2 | 2 |
|
3 | 3 | - Issue: https://github.com/nginx/nginx-gateway-fabric/issues/4051 |
4 | | -- Status: Provisional |
| 4 | +- Status: Implementable |
5 | 5 |
|
6 | 6 | ## Summary |
7 | 7 |
|
@@ -54,6 +54,8 @@ samesite=[strict|lax|none|$variable] - Sets the sameSite attribute for the cooki |
54 | 54 | secure - Sets the `secure` attribute for the cookie. |
55 | 55 | httpOnly - Sets the `httpOnly` attribute for the cookie. |
56 | 56 |
|
| 57 | +## API, Customer Driven Interfaces, and User Experience |
| 58 | + |
57 | 59 | ### Session Persistence for NGINX OSS users |
58 | 60 |
|
59 | 61 | In OSS, session persistence is provided by configuring upstreams to use the `ip_hash` load-balancing method. NGINX hashes the client IP to select an upstream server, so requests from the same IP are routed to the same upstream as long as it is available. If that server becomes unavailable, NGINX automatically selects another server in the upstream group. Session affinity quality with `ip_hash` depends on NGINX seeing the real client IP. In environments with external load balancers or proxies, operators must ensure appropriate `real_ip_header/set_real_ip_from` configuration so that `$remote_addr` reflects the end-user address otherwise, stickiness will be determined by the address of the front-end proxy rather than the actual client. |
@@ -118,7 +120,7 @@ const ( |
118 | 120 | ) |
119 | 121 | ``` |
120 | 122 |
|
121 | | -Note: `LoadBalancingMethod` is optional and defaults to `random two least_conn`. Adding this optional field is a non-breaking change and does not require a version bump in alignment with the [Kubernetes API compatibility guidelines](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md#on-compatibility). |
| 123 | +Note: `LoadBalancingMethod` is optional and defaults to `random two least_conn` in NGINX Gateway Fabric, even though NGINX itself defaults to `round_robin` load balancing. Adding this optional field is a non-breaking change and does not require a version bump in alignment with the [Kubernetes API compatibility guidelines](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md#on-compatibility). |
122 | 124 |
|
123 | 125 | ### Session Persistence for NGINX Plus users |
124 | 126 |
|
@@ -160,10 +162,21 @@ When there are multiple path matches that share the same sessionPersistence conf |
160 | 162 |
|
161 | 163 | For **GRPCRoutes**, we do not set explicit cookie `domain` or `path` attributes. Leaving `domain` unset keeps cookies host-only, and omitting `path` means the user agent applies its default path derivation. This avoids guessing a cookie scope from gRPC routing metadata. gRPC routing is driven by a combination of listener hostnames, methods, and header matches, none of which map cleanly onto a single stable cookie scope: methods are too granular, hostnames may be broad or wildcarded, and header-based matches are inherently dynamic. Any attempt to derive a `domain` or `path` from this information would likely be ambiguous or over-scoped. |
162 | 164 |
|
163 | | - |
164 | 165 | These decisions let HTTPRoute traffic benefit from path-scoped cookies while keeping cookie domain to host-only for both HTTPRoutes and GRPCRoutes to avoid cross-host leakage. |
165 | 166 | For GRPCRoutes, we only provide basic sessionPersistence because typical gRPC clients do not implement browser-style cookie storage and replay. Cookies are treated as ordinary headers, so applications must handle them explicitly rather than relying on an automatic client-side cookie store. |
166 | 167 |
|
| 168 | +## Use Cases |
| 169 | + |
| 170 | +This enhancement targets apps that need straightforward session persistence, such as keeping a user on the same backend across multiple requests or supporting stateful services that keep session data in memory. Session persistence keeps a client pinned to one upstream while it’s healthy instead of re-randomizing on each request. |
| 171 | + |
| 172 | +## Testing |
| 173 | + |
| 174 | +There are no existing conformance tests for session persistence, so we will add functional tests to verify end-to-end behavior for both OSS and Plus. For OSS, tests will confirm that `ip_hash` keeps a client pinned to a single upstream while it is healthy. For Plus, tests will verify that `sessionPersistence` produces the expected `sticky cookie` configuration for both HTTPRoute and GRPCRoute and that requests with a valid session cookie are routed consistently to the same upstream. |
| 175 | + |
| 176 | +## Security Considerations |
| 177 | + |
| 178 | +The main security concern is scoping of session cookies. This design keeps cookies host-only by never setting the domain attribute, and for HTTPRoutes it scopes cookies by route path (or `/` when no safe common prefix exists). That limits both cross-host and cross-path leakage and reduces the impact of a compromised cookie. |
| 179 | + |
167 | 180 | ### Edge Cases |
168 | 181 |
|
169 | 182 | - If both Kubernetes Service-level session affinity and Gateway API sessionPersistence are configured for the same traffic, the route MUST be rejected, with a status condition explaining that the two mechanisms are incompatible. |
|
0 commit comments