Authorization header in combination with X-Accel-Redirect

plantian nginx-forum at nginx.us
Wed Apr 14 23:30:21 MSD 2010


Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Wed, Apr 14, 2010 at 05:33:10AM -0400, plantian
> wrote:
> 
> > I have one proxy that is handling Authorization
> of users for 
> > media content.  This proxy really does authorize
> users, 
> > returning 403 if they are not permitted to
> access a resource.  
> > Then I proxy to amazon s3 to a private bucket. 
> In order to 
> > authenticate _myself_ I need to pass an
> Authorization header to 
> > amazon s3.  The name of the header is misleading
> because really 
> > this is authentication.  Is there any way to
> return that header 
> > in the response from first proxy while returning
> 
> > X-Accel-Redirect and have it passed to the
> second proxy?
> 
> So you don't have Authorization header in original
> request but 
> want to add it to proxied request to s3, right?
> 
> Solution is to return header content in some
> custom header from 
> you redirect script (e.g. X-Auth) and then set it
> in 
> request to s3 via proxy_set_header.  Tricky part
> is to extract it from 
> $upstream_http_x_auth variable before it will be
> cleared by next 
> proxy request - this requires an extra "set".
> 
>     location /files/ {
>         # backend which returns X-Accel-Redirect
> and X-Auth 
>         # headers
> 
>         proxy_pass ...
>     }
> 
>     location /s3/ {
>         # proxy to s3
> 
>         internal;
>         proxy_pass ...
> 
>         set $xauth $upstream_http_x_auth;
> 
>         proxy_set_header Authorization $xauth;
>     }
> 
> > I've tried setting Authorization in my first
> proxy and then 
> > setting proxy_pass_header Authorization in the
> location of the 
> > second proxy but it is never passed.  Is there
> any way to do 
> > this?
> 
> Directive "proxy_pass_header" is to pass headers
> from backend to 
> client (make sense for headers which are normally
> hidden, like 
> X-Accel-Redirect).  It has nothing to do with
> headers sent to 
> upstream servers.
> 

This makes sense now, thank you very much.

> > As a hack I've successfully set a query argument
> in 
> > X-Accel-Redirect that I then extract and use to
> set the 
> > Authorization header.  This doesn't seem right
> but its working 
> > for some reason.
> 
> See above for better solution.
> 
> Maxim Dounin
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

It works flawlessly, thanks.

-Ian

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,74809,75012#msg-75012




More information about the nginx mailing list