HTTP Basic Auth question
ussray_00 at yahoo.com
Thu May 9 19:55:22 UTC 2013
Sorry for the long delay.
I have tried the following configuration which does not seem to work at all.
proxy_set_header Authorization "$remote_user";|
I can still sniff the traffic on lo and get the base64 user:pass. The interesting thing is I do not see the Authorization header being sent to the django app whatsoever. Is there a way I can totally remove the header even at the loop back level so it is not able to get intercepted?
----- Original Message -----
From: Francis Daly <francis at daoine.org>
To: nginx at nginx.org
Sent: Wednesday, May 1, 2013 4:45 PM
Subject: Re: HTTP Basic Auth question
On Wed, May 01, 2013 at 01:17:41PM -0400, B.R. wrote:
> To pass the nginx user to a fastcgi backend (PHP), I have to explicitly
> specify it using the following directive:
> fastcgi_param MY_USER $remote_user;
> I suppose you can do the same with proxy_pass?
That's how I'd do it -- probably proxy_set_header if the python
application is accessed using proxy_pass.
> I dunno how to remove an automatically forwarded parameter though... Maybe
> overwriting it with an empty string?
The password is in the http header Authorization, so using
proxy_hide_header to avoid sending that should be enough.
> On Wed, May 1, 2013 at 10:26 AM, Russ Lavoy <ussray_00 at yahoo.com> wrote:
> > I am running nginx as a reverse proxy to a python application. I am
> > wondering how I would be able to pass ONLY the user account and not the
> > password. Can this be done?
As above: how are the user and pass currently sent? It will be by
"fastcgi_pass" or "proxy_pass" or something similar. Use the matching
"_hide_header" directive on the correct header to avoid sending it.
How do you want the user to be sent? Use the variable $remote_user and
the matching "_set_header" or "_param" directive to send the provided
Francis Daly francis at daoine.org
nginx mailing list
nginx at nginx.org
More information about the nginx