Nonstandard Response Headers
Manlio Perillo
manlio_perillo at libero.it
Tue Jan 22 11:57:39 MSK 2008
Brendan Schwartz ha scritto:
> On Jan 21, 2008 4:21 AM, Manlio Perillo <manlio_perillo at libero.it> wrote:
> [...]
>>
>> Try to use $upstream_http_authorization directly in the remote-proxy
>> location.
>>
>> If this does not work, then I have no idea on how to solve your problem.
>>
>
> Unfortunately, this doesn't work.
>
I think the problem is with the two upstream being in two separate
locations.
>>> I'm trying to use nginx as a proxy for a remote server. But in order
>>> to access the content on the remote server, I need to pass an
>>> Authorization header to it. The local backend is able to produce valid
>>> authorization tokens.
>>>
>>> So here's what I want to happen: the local backend produces an
>>> Authorization header which is then passed to the remote server
>>> backend. The remote server accepts the authorized request and returns
>>> the protect content to nginx which passes it on to the end user.
>>>
>>> Does this make sense?
>>>
>> Why don't just ask the user to supply the Authorization header?
>>
>> Moreover, since the remote-proxy is "internal", I don't see any need to
>> supply authorization info.
>>
>> The authorization *must* be done in the local backend, and only if the
>> client is allowed to access the protected content, you set the
>> X-Accel-Redirect.
>>
>> This content is only accessible by nginx, and not by external clients.
>>
>
> In my situation the end user shouldn't (and doesn't) have any
> knowledge of the authentication mechanism between this "remote server"
> and nginx. The remote-proxy is marked as "internal" to prevent users
> from accessing that URL directly (without permission from the local
> backend) and gaining access to the protected content on the remote
> server.
>
> What I'd like to have happen is this:
> The end user authenticates with the local backend at which point nginx
> will fetch the protected content from the remote server and serve it
> to them.
>
But this is already supported by nginx.
You have to set the X-Accel-Redirect only when the end user successfully
authenticate with the local backend.
>>> Thanks,
>>> Brendan
>>>
Manlio Perillo
Manlio Perillo
More information about the nginx
mailing list