Authorization header in combination with X-Accel-Redirect
plantian
nginx-forum at nginx.us
Wed Apr 14 23:30:21 MSD 2010
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Wed, Apr 14, 2010 at 05:33:10AM -0400, plantian
> wrote:
>
> > I have one proxy that is handling Authorization
> of users for
> > media content. This proxy really does authorize
> users,
> > returning 403 if they are not permitted to
> access a resource.
> > Then I proxy to amazon s3 to a private bucket.
> In order to
> > authenticate _myself_ I need to pass an
> Authorization header to
> > amazon s3. The name of the header is misleading
> because really
> > this is authentication. Is there any way to
> return that header
> > in the response from first proxy while returning
>
> > X-Accel-Redirect and have it passed to the
> second proxy?
>
> So you don't have Authorization header in original
> request but
> want to add it to proxied request to s3, right?
>
> Solution is to return header content in some
> custom header from
> you redirect script (e.g. X-Auth) and then set it
> in
> request to s3 via proxy_set_header. Tricky part
> is to extract it from
> $upstream_http_x_auth variable before it will be
> cleared by next
> proxy request - this requires an extra "set".
>
> location /files/ {
> # backend which returns X-Accel-Redirect
> and X-Auth
> # headers
>
> proxy_pass ...
> }
>
> location /s3/ {
> # proxy to s3
>
> internal;
> proxy_pass ...
>
> set $xauth $upstream_http_x_auth;
>
> proxy_set_header Authorization $xauth;
> }
>
> > I've tried setting Authorization in my first
> proxy and then
> > setting proxy_pass_header Authorization in the
> location of the
> > second proxy but it is never passed. Is there
> any way to do
> > this?
>
> Directive "proxy_pass_header" is to pass headers
> from backend to
> client (make sense for headers which are normally
> hidden, like
> X-Accel-Redirect). It has nothing to do with
> headers sent to
> upstream servers.
>
This makes sense now, thank you very much.
> > As a hack I've successfully set a query argument
> in
> > X-Accel-Redirect that I then extract and use to
> set the
> > Authorization header. This doesn't seem right
> but its working
> > for some reason.
>
> See above for better solution.
>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
It works flawlessly, thanks.
-Ian
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,74809,75012#msg-75012
More information about the nginx
mailing list