Help - Nginx Azure Auth

Pavan P pavan45 at gmail.com
Thu Nov 26 06:21:10 UTC 2020


Still the same issue, https not redirecting to azure for authentication.
Only http redirects.

On Thu, Nov 26, 2020 at 11:47 AM HARISH KUMAR Ivaturi <
harishkumarivaturi at gmail.com> wrote:

> Try with TLSv1.2
>
> TLSv1.3 is for http3.
>
> On Thu 26 Nov, 2020, 7:09 AM Pavan P, <pavan45 at gmail.com> wrote:
>
>> Still the same problem, enabled ssl_protocols TLSv1.3;
>>
>> Is there any issue with my configuration? With the below configuration,
>> http://ci1.altlifelab.com redirects to the authentication page, but
>> https does not, it will directly go to the application without
>> authentication.
>>
>> server {
>>     server_name ci1.altlifelab.com;
>>
>>     location / {
>>       proxy_set_header        Host $host:$server_port;
>>       proxy_set_header        X-Real-IP $remote_addr;
>>       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>>       proxy_set_header        X-Forwarded-Proto $scheme;
>>
>>
>>       # Fix the "It appears that your reverse proxy set up is broken"
>> error.
>>       proxy_pass          http://127.0.0.1:9080;
>>       proxy_read_timeout  90;
>>
>>       proxy_redirect      http://127.0.0.1:9080
>> http://www.ci1.altlifelab.com;
>>
>>       # Required for new HTTP-based CLI
>>       proxy_http_version 1.1;
>>       proxy_request_buffering off;
>>       # workaround for
>> https://issues.jenkins-ci1.org/browse/JENKINS-45651
>>       add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always;
>>     }
>>
>>     listen 443 ssl; # managed by Certbot
>>     ssl_certificate /etc/letsencrypt/live/
>> ci1.altlifelab.com/fullchain.pem; # managed by Certbot
>>     ssl_certificate_key /etc/letsencrypt/live/
>> ci1.altlifelab.com/privkey.pem; # managed by Certbot
>>     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>>     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>>     ssl_protocols TLSv1.3;
>> }
>>
>> server {
>>     if ($host = ci1.altlifelab.com) {
>> #        return 301 https://$host$request_uri;
>> return 301
>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd
>> ;
>>     } # managed by Certbot
>>
>>
>>     listen 80;
>> server_name ci1.altlifelab.com;
>>     return 404; # managed by Certbot
>> }
>>
>> On Thu, Nov 26, 2020 at 11:24 AM Pavan P <pavan45 at gmail.com> wrote:
>>
>>> HI Harish,
>>> But the issue I'm facing is different, when I try
>>> http://ci1.altlifelab.com it works fine, when I use
>>> https://ci1.altlifelab.com the url does not redirect to auth.
>>>
>>> On Thu, Nov 26, 2020 at 11:12 AM HARISH KUMAR Ivaturi <
>>> harishkumarivaturi at gmail.com> wrote:
>>>
>>>> Once try this.
>>>>
>>>>
>>>> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
>>>>
>>>> And configure again with auth proxy module
>>>>
>>>> On Thu 26 Nov, 2020, 6:17 AM Pavan P, <pavan45 at gmail.com> wrote:
>>>>
>>>>> Yes Harish, Certificate is working fine.
>>>>>
>>>>> root at ip-172-31-33-18:~# nginx -V
>>>>> nginx version: nginx/1.10.3 (Ubuntu)
>>>>> built with OpenSSL 1.0.2g  1 Mar 2016
>>>>> TLS SNI support enabled
>>>>> configure arguments: --with-cc-opt='-g -O2 -fPIE
>>>>> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
>>>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie
>>>>> -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
>>>>> --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
>>>>> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
>>>>> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
>>>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>>>>> --http-proxy-temp-path=/var/lib/nginx/proxy
>>>>> --http-scgi-temp-path=/var/lib/nginx/scgi
>>>>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
>>>>> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
>>>>> --with-http_realip_module --with-http_auth_request_module
>>>>> --with-http_addition_module --with-http_dav_module --with-http_geoip_module
>>>>> --with-http_gunzip_module --with-http_gzip_static_module
>>>>> --with-http_image_filter_module --with-http_v2_module
>>>>> --with-http_sub_module --with-http_xslt_module --with-stream
>>>>> --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads
>>>>> (base) root at ip-172-31-33-18:~#
>>>>>
>>>>> On Thu, Nov 26, 2020 at 10:43 AM HARISH KUMAR Ivaturi <
>>>>> harishkumarivaturi at gmail.com> wrote:
>>>>>
>>>>>> 1) once type nginx -V and send rhe output.
>>>>>>
>>>>>> 2) certificate - certificate.cert
>>>>>> Certificate_key - certificate.key
>>>>>>
>>>>>> Once recheck the certs section and make sure that you have generated
>>>>>> with certificates with openssl properly.
>>>>>>
>>>>>> BR
>>>>>> Harish Kumar
>>>>>>
>>>>>> On Thu 26 Nov, 2020, 5:27 AM Pavan P, <pavan45 at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Harish,
>>>>>>> Below is the config of my nginx. Https module is configured fine.
>>>>>>> Please let me know if I have missed anything.
>>>>>>>
>>>>>>> server {
>>>>>>>     server_name ci1.altlifelab.com;
>>>>>>>
>>>>>>>     location / {
>>>>>>>       proxy_set_header        Host $host:$server_port;
>>>>>>>       proxy_set_header        X-Real-IP $remote_addr;
>>>>>>>       proxy_set_header        X-Forwarded-For
>>>>>>> $proxy_add_x_forwarded_for;
>>>>>>>       proxy_set_header        X-Forwarded-Proto $scheme;
>>>>>>>
>>>>>>>
>>>>>>>       # Fix the "It appears that your reverse proxy set up is
>>>>>>> broken" error.
>>>>>>>       proxy_pass          http://127.0.0.1:9080;
>>>>>>>       proxy_read_timeout  90;
>>>>>>>
>>>>>>>       proxy_redirect      http://127.0.0.1:9080
>>>>>>> http://www.ci1.altlifelab.com;
>>>>>>>
>>>>>>>       # Required for new HTTP-based CLI
>>>>>>>       proxy_http_version 1.1;
>>>>>>>       proxy_request_buffering off;
>>>>>>>       # workaround for
>>>>>>> https://issues.jenkins-ci1.org/browse/JENKINS-45651
>>>>>>>       add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always;
>>>>>>>     }
>>>>>>>
>>>>>>>     listen 443 ssl; # managed by Certbot
>>>>>>>     ssl_certificate /etc/letsencrypt/live/
>>>>>>> ci1.altlifelab.com/fullchain.pem; # managed by Certbot
>>>>>>>     ssl_certificate_key /etc/letsencrypt/live/
>>>>>>> ci1.altlifelab.com/privkey.pem; # managed by Certbot
>>>>>>>     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by
>>>>>>> Certbot
>>>>>>>     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by
>>>>>>> Certbot
>>>>>>>
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> server {
>>>>>>>     if ($host = ci1.altlifelab.com) {
>>>>>>> #        return 301 https://$host$request_uri;
>>>>>>> return 301
>>>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd
>>>>>>> ;
>>>>>>>     } # managed by Certbot
>>>>>>>
>>>>>>>
>>>>>>>     listen 80;
>>>>>>> server_name ci1.altlifelab.com;
>>>>>>> return 301
>>>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd;
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> On Thu, Nov 26, 2020 at 5:04 AM HARISH KUMAR Ivaturi <
>>>>>>> harishkumarivaturi at gmail.com> wrote:
>>>>>>>
>>>>>>>> I am not sure if you have configured nginx with https_module. Once
>>>>>>>> try that. And also add proper headers in the nginx.conf like
>>>>>>>>
>>>>>>>> Listen 443 ssl;
>>>>>>>> Certificates location
>>>>>>>>
>>>>>>>> BR
>>>>>>>> Harish Kumar
>>>>>>>>
>>>>>>>> On Wed 25 Nov, 2020, 3:53 PM Pavan P, <pavan45 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> I have configured nginx to authenticate with azure AD for login.
>>>>>>>>>
>>>>>>>>> When I access the site abc.example.com it redirects to Azure for
>>>>>>>>> authentication and redirects me back once the authentication is complete.
>>>>>>>>>
>>>>>>>>> How ever when I try to access the site with https abc.example.com
>>>>>>>>> it does not redirect for authentication.
>>>>>>>>>
>>>>>>>>> Is there anyway I can get both http and https to redirect for
>>>>>>>>> azure auth.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Pavan
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> nginx-devel mailing list
>>>>>>>>> nginx-devel at nginx.org
>>>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nginx-devel mailing list
>>>>>>>> nginx-devel at nginx.org
>>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nginx-devel mailing list
>>>>>>> nginx-devel at nginx.org
>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>>>
>>>>>> _______________________________________________
>>>>>> nginx-devel mailing list
>>>>>> nginx-devel at nginx.org
>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>>
>>>>> _______________________________________________
>>>>> nginx-devel mailing list
>>>>> nginx-devel at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>
>>>> _______________________________________________
>>>> nginx-devel mailing list
>>>> nginx-devel at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>
>>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20201126/196bb1a0/attachment-0001.htm>


More information about the nginx-devel mailing list