Authorization header in combination with X-Accel-Redirect
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 14 14:13:24 MSD 2010
Hello!
On Wed, Apr 14, 2010 at 05:33:10AM -0400, plantian wrote:
> I have one proxy that is handling Authorization of users for
> media content. This proxy really does authorize users,
> returning 403 if they are not permitted to access a resource.
> Then I proxy to amazon s3 to a private bucket. In order to
> authenticate _myself_ I need to pass an Authorization header to
> amazon s3. The name of the header is misleading because really
> this is authentication. Is there any way to return that header
> in the response from first proxy while returning
> X-Accel-Redirect and have it passed to the second proxy?
So you don't have Authorization header in original request but
want to add it to proxied request to s3, right?
Solution is to return header content in some custom header from
you redirect script (e.g. X-Auth) and then set it in
request to s3 via proxy_set_header. Tricky part is to extract it from
$upstream_http_x_auth variable before it will be cleared by next
proxy request - this requires an extra "set".
location /files/ {
# backend which returns X-Accel-Redirect and X-Auth
# headers
proxy_pass ...
}
location /s3/ {
# proxy to s3
internal;
proxy_pass ...
set $xauth $upstream_http_x_auth;
proxy_set_header Authorization $xauth;
}
> I've tried setting Authorization in my first proxy and then
> setting proxy_pass_header Authorization in the location of the
> second proxy but it is never passed. Is there any way to do
> this?
Directive "proxy_pass_header" is to pass headers from backend to
client (make sense for headers which are normally hidden, like
X-Accel-Redirect). It has nothing to do with headers sent to
upstream servers.
> As a hack I've successfully set a query argument in
> X-Accel-Redirect that I then extract and use to set the
> Authorization header. This doesn't seem right but its working
> for some reason.
See above for better solution.
Maxim Dounin
More information about the nginx
mailing list