Unable to use subrequest authentication for proxied site
Lists
lists at benjamindsmith.com
Fri Sep 25 02:56:44 UTC 2020
Following up, after implementation and rollout.
On Monday, September 21, 2020 1:52:32 AM PDT Francis Daly wrote:
> That's probably the right thing to do overall; except that you probably
> will not control what the typical browser shows for (e.g.) a 401 response.
I've not seen that a 401 or whatever error code causes browsers to do "funny
stuff". I've long had a mildly amusing 404 page, for example.
> If the rest of your application already works with the 200 "please login"
> screen, then potentially you could send the 401 to nginx in response to
> the auth_request request; and add an "error_page 401 = /login_screen;"
> in the nginx location{}, and make the nginx subrequest for /login_screen
> return that "please login" with a 200 status.
In my case, if the nginx proxy auth request fails, there are other issues
elsewhere in the app and a simple denied screen is almost certainly sufficient.
As a side note, within the app, if you make a request and it gives you a login
screen instead, it has an http_code of 401. But if you specifically ask for the
login screen EG: /login.php then that's 200. It's only the case where the
thing requested is different than the thing returned that it gives you a 401,
403, or 404.
> http://nginx.org/r/error_page for more information on that option.
>
> That could maintain the control that you currently have over what the
> end-user sees, while still having nginx allow the expected requests
> based on what the upstream says.
Thank. I might do that at some point in the future but right now nginx is
serving a subdomain within an iframe of the main app and so is not the primary
page the user sees.
In a *legitimate* use, anyway. the proxy auth is to thwart malicious use.
Thanks again,
Ben S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200924/395202e3/attachment.bin>
More information about the nginx
mailing list