Nginx as Rproxy with auth_request, websocket and authorization header change

B3r3n-NGinx nginx at hide.argosnet.com
Tue Jun 8 09:16:04 UTC 2021


Hello,

I use NGinx as a front end for multiple accesses.

Until now, I got a configuration that was perfectly working but with a
recent failure I exchanged with NGinx team to discover what I was doing
is...impossible :-)

But apparently, it would just be a configuration issue so it becomes
possible.

NGinx should act as :
1- web server without auth for / (OK)
2- Web server with basic auth for /manager (OK)
3- Web server with authentication delegated to a back-end auth_request for
/vigrid, then changing to websocket (OK)
4- Web server with authentication delegated to a back-end auth_request for
/vigrid, then changing to websocket, CHANGING AUTHORIZATION (FAIL)

>From 1 to 3, no issue, NGinx behaves perfectly. It validated the login (if
needed) then does the job.

The issue is with 4. The Heavy client send the Authorization header, NGinx
sends to /auth that will decide either to block or to let pass but then it
will change the autorization header before the proxy forwards to the real
back end client.
That is the problem...

The PHP script really receives everything and changes the header, but this
header is not received back at NGinx level and so the proxy keeps
receiving the old Authorization header, that is not recognized (NGinx does
the authentication job).

I fail to understand where is the issue. I also tried with
more_set_header, failed as well.

Any help welcome, I struggle for 3 days with this :-(

Here are my config...

### MAIN SERVER:
server {
  listen 127.0.0.1:443 ssl default;
  server_name localhost;

  # Take fullchain here, not cert.pem
  ssl_certificate      /etc/nginx/ssl/localhost.crt;
  ssl_certificate_key  /etc/nginx/ssl/localhost.key;

  ssl_session_cache    builtin:1000 shared:SSL:1m;
  ssl_session_timeout  5m;

  ssl_protocols   TLSv1.2 TLSv1.3;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;

  # hide version
  server_tokens        off;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  root   /home/vigrid/www/site;
  index  index.html index.htm index.php;

  # Vigrid home page
  location /
  {
    # sanity
    location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { log_not_found off; }

    location ~ \.css  { add_header Content-Type text/css; }
    location ~ \.js   { add_header Content-Type application/x-javascript;
} location ~ \.eot  { add_header Content-Type
application/vnd.ms-fontobject; }
    location ~ \.woff { add_header Content-Type font/woff; }

    location ~* \.(htm|html|php)$
    {
      try_files $uri =404;
      fastcgi_split_path_info       ^(.+\.html)(/.+)$;
      fastcgi_index                 index.html;
      fastcgi_pass                  unix:/run/php/php7.4-fpm.sock; include
                      /etc/nginx/fastcgi_params;
      fastcgi_param PATH_INFO       $fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
  }

  # Vigrid management pages
  location /manager
  {
    # Basic authentication
    auth_basic "Vigrid's access, who are you ?";
    auth_basic_user_file /home/vigrid/etc/vigrid-passwd;

    auth_request     /auth;
    auth_request_set $auth_status $upstream_status;

    location ~ \.css  { add_header Content-Type text/css; }
    location ~ \.js   { add_header Content-Type application/x-javascript;
} location ~ \.eot  { add_header Content-Type
application/vnd.ms-fontobject; }
    location ~ \.woff { add_header Content-Type font/woff; }

    location ~* \.(htm|html|php)$
    {
      try_files $uri =404;
      fastcgi_split_path_info       ^(.+\.html)(/.+)$;
      fastcgi_index                 index.html;
      fastcgi_pass                  unix:/run/php/php7.4-fpm.sock; include
                      /etc/nginx/fastcgi_params;
      fastcgi_param PATH_INFO       $fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
  }

  # Vigrid Heavy client
  location /vigrid
  {
    #auth_request_set $authHeader0 $upstream_http_authorization;
proxy_set_header 'Authorization' $authHeader0;

    auth_request     /auth;
    auth_request_set $auth_status $upstream_status;

    auth_request_set $auth_header $upstream_http_authorization;

    proxy_pass http://172.29.0.254:8080;
    proxy_set_header Host $host;
    proxy_set_header 'Authorization' $auth_header;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
  }

  location = /auth
  {
    internal;

    proxy_pass             http://localhost:8001;
    proxy_pass_request_body off;

    proxy_set_header        Content-Length "";
    proxy_set_header        X-Original-URI $request_uri;
    proxy_set_header        X-Original-Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Host $server_name;
  }

  location ~ ^/(images|javascript|js|css|flash|media|static|font)/  {
    expires 7d;
  }

  location ~ /\.ht {
      deny  all;
  }

  try_files $uri $uri/ /index.html?$args /index.htm?$args /index.php?$args;
}

### AUTH:
server {
  listen 127.0.0.1:8001;
  server_name localhost;

  access_log /var/log/nginx/vigrid_auth-access.log;
  error_log  /var/log/nginx/vigrid_auth-error.log;

  root   /home/vigrid/www/auth;
  index  vigrid-auth.php;

  # hide version
  server_tokens        off;

  location ~ /\.ht {
    deny  all;
  }

  location /
  {
    # cleaning
    location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { log_not_found off; }

    location ~ \.css  { add_header Content-Type text/css; }
    location ~ \.js   { add_header Content-Type application/x-javascript;
} location ~ \.eot  { add_header Content-Type
application/vnd.ms-fontobject; }
    location ~ \.woff { add_header Content-Type font/woff; }

    location ~* \.(htm|html|php)$
    {
      try_files $uri =404;
      fastcgi_split_path_info       ^(.+\.php)(/.+)$;
      fastcgi_index                 vigrid-auth.php;
      fastcgi_pass                  unix:/run/php/php7.4-fpm.sock; #
fastcgi_pass_header           Authorization;
      include                       /etc/nginx/fastcgi_params;
      fastcgi_param PATH_INFO       $fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~ ^/(images|javascript|js|css|flash|media|static|font)/  {
      expires 7d;
    }

    location ~ /\.ht {
      deny  all;
    }

    try_files $uri $uri/ /vigrid-auth.php?$args;
  }
}






More information about the nginx mailing list