Nonstandard Response Headers

Tue Jan 22 17:52:02 MSK 2008

On Jan 22, 2008 3:57 AM, Manlio Perillo <manlio_perillo at libero.it> wrote:
> Brendan Schwartz ha scritto:
> > On Jan 21, 2008 4:21 AM, Manlio Perillo <manlio_perillo at libero.it> wrote:
> > [...]
> >>
> >> Try to use $upstream_http_authorization directly in the remote-proxy
> >> location.
> >>
> >> If this does not work, then I have no idea on how to solve your problem.
> >>
> >
> > Unfortunately, this doesn't work.
> >
>
> I think the problem is with the two upstream being in two separate
> locations.
>
>
>
> >>> I'm trying to use nginx as a proxy for a remote server. But in order
> >>> to access the content on the remote server, I need to pass an
> >>> Authorization header to it. The local backend is able to produce valid
> >>> authorization tokens.
> >>>
> >>> So here's what I want to happen: the local backend produces an
> >>> Authorization header which is then passed to the remote server
> >>> backend. The remote server accepts the authorized request and returns
> >>> the protect content to nginx which passes it on to the end user.
> >>>
> >>> Does this make sense?
> >>>
> >> Why don't just ask the user to supply the Authorization header?
> >>
> >> Moreover, since the remote-proxy is "internal", I don't see any need to
> >> supply authorization info.
> >>
> >> The authorization *must* be done in the local backend, and only if the
> >> client is allowed to access the protected content, you set the
> >> X-Accel-Redirect.
> >>
> >> This content is only accessible by nginx, and not by external clients.
> >>
> >
> > In my situation the end user shouldn't (and doesn't) have any
> > knowledge of the authentication mechanism between this "remote server"
> > and nginx. The remote-proxy is marked as "internal" to prevent users
> > from accessing that URL directly (without permission from the local
> > backend) and gaining access to the protected content on the remote
> > server.
> >
> > What I'd like to have happen is this:
> > The end user authenticates with the local backend at which point nginx
> > will fetch the protected content from the remote server and serve it
> > to them.
> >
>
>
> But this is already supported by nginx.
> You have to set the X-Accel-Redirect only when the end user successfully
> authenticate with the local backend.

Yes, and that part has been working without a hitch. But in my
situation, the content that I'm X-Accel-Redirect'ing to is on another
server and that server requires an auth token in order to get at the
content. So, the piece that I can't seem to figure out is how to get
Nginx to pass the auth token header I generate on the local backend to
the remote server.

The output from the local backend contains headers like this:
Authorization: mytoken123
X-Accel-Redirect: /remote-proxy/my_protected_asset

I would like the Authorization header to be passed to the
remote-proxy. However, I can't figure out a way to do this.

> >>> Thanks,
> >>> Brendan
> >>>
>
>
> Manlio Perillo
>
>
>
> Manlio Perillo
>