Unable to use subrequest authentication for proxied site

Lists lists at benjamindsmith.com
Sun Sep 20 17:33:43 UTC 2020 

See reply below 

On Sunday, September 20, 2020 8:29:32 AM PDT Francis Daly wrote:
> On Sat, Sep 19, 2020 at 09:26:57AM -0700, Lists wrote:
> 
> Hi there,
> 
> > How do I configure nginx to use subrequest authentication for a reverse
> > proxied application with websocket upgrades? The documentation doesn't
> > seem to contain the information I need to do this.
> 
> I have not tested the websocket part, but the rest of it "Works For
> Me" (see below); and the response that you report does not seem to be
> restricted to websockets in your case.
> 
> > *********************************************************
> > WHAT IS HAPPENING (Schenario 1)
> > 
> > 3) /external/etherpad.php receives authentication request, gets
> > X-Original-URI and validates the request, returning an http_code 200 when
> > all is well.
> > 
> > 4) Nginx attempts to resolve the request as a local file, can't find it,
> > and returns 404 to the end user.
> 
> Does that return a 404, or something else, when /external/etherpad.php
> does not return http_code 200?

Hmm, 

> 
> > SCENARIO 1 NGINX CONFIG FILE
> > 
> >   location /p/ {
> >   
> >        auth_request /auth;
> >        auth_request_set $auth_status $upstream_status;
> >        }
> 
> That does not cause the request /p/MyPad to be proxy_pass'ed anywhere,
> because there is no proxy_pass in this location.
> 
> > *********************************************************
> > WHAT IS HAPPENING (Schenario 2: invalid session ID)
> > 
> > 
> > 3) /external/etherpad.php receives authentication request, gets
> > X-Original-URI and validates the request, returning an http_code 401.
> 
> Out of interest - if you make that request yourself, manually, do you see
> the http 401; or do you see something like a http 200 with a message of
> "this is a 401"?
> 
> (It's unlikely, but is the only thing I can think of right now that
> might show why your test case differs from mine, below.)

Turns out this is *exactly* what was happening - Ugh. I hadn't published an 
"open" security profile for the /external/etherpad.php URI and it was 
responding with a login page and http code 200. 

So publishing a security profile for that page fixed the problem and now (with 
the correct proxy adding "/p/" at the end) and it seems to be passing all the 
tests I expect. 

But if the result was a login screen instead of a successful result, I'm 
thinking it *still* should have (not) worked. How is getting a login screen 
instead of the expected result a "successful" request? 

So I'm doing an audit to update my authentication code to return proper http 
response codes instead of just friendly end-user http response "200" pages. 

I thank you for your time and consideration. 

>   curl -i -H 'X-Original-URI: /p/MyPadId?sess_id=INVALID' https://
mydomain.dom/external/etherpad.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200920/967fa6ab/attachment.bin>

More information about the nginx mailing list