Nginx as Rproxy with auth_request, websocket and authorization header change
B3r3n-NGinx
nginx at hide.argosnet.com
Tue Jun 8 09:16:04 UTC 2021
Hello,
I use NGinx as a front end for multiple accesses.
Until now, I got a configuration that was perfectly working but with a
recent failure I exchanged with NGinx team to discover what I was doing
is...impossible :-)
But apparently, it would just be a configuration issue so it becomes
possible.
NGinx should act as :
1- web server without auth for / (OK)
2- Web server with basic auth for /manager (OK)
3- Web server with authentication delegated to a back-end auth_request for
/vigrid, then changing to websocket (OK)
4- Web server with authentication delegated to a back-end auth_request for
/vigrid, then changing to websocket, CHANGING AUTHORIZATION (FAIL)
>From 1 to 3, no issue, NGinx behaves perfectly. It validated the login (if
needed) then does the job.
The issue is with 4. The Heavy client send the Authorization header, NGinx
sends to /auth that will decide either to block or to let pass but then it
will change the autorization header before the proxy forwards to the real
back end client.
That is the problem...
The PHP script really receives everything and changes the header, but this
header is not received back at NGinx level and so the proxy keeps
receiving the old Authorization header, that is not recognized (NGinx does
the authentication job).
I fail to understand where is the issue. I also tried with
more_set_header, failed as well.
Any help welcome, I struggle for 3 days with this :-(
Here are my config...
### MAIN SERVER:
server {
listen 127.0.0.1:443 ssl default;
server_name localhost;
# Take fullchain here, not cert.pem
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
ssl_session_cache builtin:1000 shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# hide version
server_tokens off;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
root /home/vigrid/www/site;
index index.html index.htm index.php;
# Vigrid home page
location /
{
# sanity
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { log_not_found off; }
location ~ \.css { add_header Content-Type text/css; }
location ~ \.js { add_header Content-Type application/x-javascript;
} location ~ \.eot { add_header Content-Type
application/vnd.ms-fontobject; }
location ~ \.woff { add_header Content-Type font/woff; }
location ~* \.(htm|html|php)$
{
try_files $uri =404;
fastcgi_split_path_info ^(.+\.html)(/.+)$;
fastcgi_index index.html;
fastcgi_pass unix:/run/php/php7.4-fpm.sock; include
/etc/nginx/fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
# Vigrid management pages
location /manager
{
# Basic authentication
auth_basic "Vigrid's access, who are you ?";
auth_basic_user_file /home/vigrid/etc/vigrid-passwd;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
location ~ \.css { add_header Content-Type text/css; }
location ~ \.js { add_header Content-Type application/x-javascript;
} location ~ \.eot { add_header Content-Type
application/vnd.ms-fontobject; }
location ~ \.woff { add_header Content-Type font/woff; }
location ~* \.(htm|html|php)$
{
try_files $uri =404;
fastcgi_split_path_info ^(.+\.html)(/.+)$;
fastcgi_index index.html;
fastcgi_pass unix:/run/php/php7.4-fpm.sock; include
/etc/nginx/fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
# Vigrid Heavy client
location /vigrid
{
#auth_request_set $authHeader0 $upstream_http_authorization;
proxy_set_header 'Authorization' $authHeader0;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
auth_request_set $auth_header $upstream_http_authorization;
proxy_pass http://172.29.0.254:8080;
proxy_set_header Host $host;
proxy_set_header 'Authorization' $auth_header;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location = /auth
{
internal;
proxy_pass http://localhost:8001;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ ^/(images|javascript|js|css|flash|media|static|font)/ {
expires 7d;
}
location ~ /\.ht {
deny all;
}
try_files $uri $uri/ /index.html?$args /index.htm?$args /index.php?$args;
}
### AUTH:
server {
listen 127.0.0.1:8001;
server_name localhost;
access_log /var/log/nginx/vigrid_auth-access.log;
error_log /var/log/nginx/vigrid_auth-error.log;
root /home/vigrid/www/auth;
index vigrid-auth.php;
# hide version
server_tokens off;
location ~ /\.ht {
deny all;
}
location /
{
# cleaning
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { log_not_found off; }
location ~ \.css { add_header Content-Type text/css; }
location ~ \.js { add_header Content-Type application/x-javascript;
} location ~ \.eot { add_header Content-Type
application/vnd.ms-fontobject; }
location ~ \.woff { add_header Content-Type font/woff; }
location ~* \.(htm|html|php)$
{
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index vigrid-auth.php;
fastcgi_pass unix:/run/php/php7.4-fpm.sock; #
fastcgi_pass_header Authorization;
include /etc/nginx/fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ ^/(images|javascript|js|css|flash|media|static|font)/ {
expires 7d;
}
location ~ /\.ht {
deny all;
}
try_files $uri $uri/ /vigrid-auth.php?$args;
}
}
More information about the nginx
mailing list