Authorization header in combination with X-Accel-Redirect

Maxim Dounin mdounin at
Wed Apr 14 14:13:24 MSD 2010


On Wed, Apr 14, 2010 at 05:33:10AM -0400, plantian wrote:

> I have one proxy that is handling Authorization of users for 
> media content.  This proxy really does authorize users, 
> returning 403 if they are not permitted to access a resource.  
> Then I proxy to amazon s3 to a private bucket.  In order to 
> authenticate _myself_ I need to pass an Authorization header to 
> amazon s3.  The name of the header is misleading because really 
> this is authentication.  Is there any way to return that header 
> in the response from first proxy while returning 
> X-Accel-Redirect and have it passed to the second proxy?

So you don't have Authorization header in original request but 
want to add it to proxied request to s3, right?

Solution is to return header content in some custom header from 
you redirect script (e.g. X-Auth) and then set it in 
request to s3 via proxy_set_header.  Tricky part is to extract it from 
$upstream_http_x_auth variable before it will be cleared by next 
proxy request - this requires an extra "set".

    location /files/ {
        # backend which returns X-Accel-Redirect and X-Auth 
        # headers

        proxy_pass ...

    location /s3/ {
        # proxy to s3

        proxy_pass ...

        set $xauth $upstream_http_x_auth;

        proxy_set_header Authorization $xauth;

> I've tried setting Authorization in my first proxy and then 
> setting proxy_pass_header Authorization in the location of the 
> second proxy but it is never passed.  Is there any way to do 
> this?

Directive "proxy_pass_header" is to pass headers from backend to 
client (make sense for headers which are normally hidden, like 
X-Accel-Redirect).  It has nothing to do with headers sent to 
upstream servers.

> As a hack I've successfully set a query argument in 
> X-Accel-Redirect that I then extract and use to set the 
> Authorization header.  This doesn't seem right but its working 
> for some reason.

See above for better solution.

Maxim Dounin

More information about the nginx mailing list