Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx reverse proxy - passthrough basic authenication

I am trying to setup nginx as a reverse rpoxy server in front off several IIS web servers who are authenticating using Basic authentication.

(note - this is not the same as nginx providing the auth using a password file - it should just be marshelling everythnig between the browser/server)

Its working kind off - but getting repeatedly prompted for auth by every single resource (image/css etc) on a page.

upstream my_iis_server {
      server 192.168.1.10;
}

server {
    listen       1.1.1.1:80;
    server_name  www.example.com;  

    ## send request back to my iis server ##
    location / {
     proxy_pass  http://my_iis_server;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_http_version      1.1;
     proxy_set_header        Connection "";
     proxy_pass_header       Authorization;     
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header        Host            $host;
     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}
like image 659
Ryan Avatar asked Feb 12 '13 18:02

Ryan


People also ask

Can Nginx handle authentication?

NGINX and NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified.

How does Nginx detect reverse proxy?

To see Nginx function as a reverse proxy, simply restart the server to load the new configuration. When the server comes online, try to access the backend server through the Nginx reverse proxy. In this example, we can access the Tomcat server running on port 8080 through Nginx.

How do I use Nginx as an https forward proxy?

The following steps briefly outlines the process. 1) The client sends an HTTP CONNECT request to the proxy server. 2) The proxy server uses the host and port information in the HTTP CONNECT request to establish a TCP connection with the target server. 3) The proxy server returns an HTTP 200 response to the client.

What is Auth_basic in Nginx?

auth_basic. auth_basic_user_file. The ngx_http_auth_basic_module module allows limiting access to resources by validating the user name and password using the “HTTP Basic Authentication” protocol. Access can also be limited by address, by the result of subrequest, or by JWT.


1 Answers

This exact situation took me forever to figure out, but OSS is like that I guess. This post is a year old so maybe the original poster figured it out, or gave up?

Anyway, the problem for me at least was caused by a few things:

  1. IIS expects the realm string to be the same as what it sent to Nginx, but if your Nginx server_name is listening on a different address than the upstream then the server side WWW-Authenticate is not going to be what IIS was expecting and ignore it.
  2. The builtin header module doesn't clear the other WWW-Authenticate headers, particularly the problematic WWW-Authenticate: Negotiate. Using the headers-more module clears the old headers, and adds whatever you tell it to.

After this, I was able to finally push Sharepoint 2010 through Nginx.

Thanks stackoverflow.

server {
    listen 80;
    server_name your.site.com;

    location / {
            proxy_http_version      1.1;
            proxy_pass_request_headers on;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

            #proxy_pass_header      Authorization; //This didnt work for me
            more_set_input_headers  'Authorization: $http_authorization';

            proxy_set_header  Accept-Encoding  "";

            proxy_pass              https://sharepoint/;
            proxy_redirect          default;
            #This is what worked for me, but you need the headers-more mod
            more_set_headers        -s 401 'WWW-Authenticate: Basic realm="intranet.example.com"';
    }
}
like image 62
Matt Avatar answered Sep 30 '22 00:09

Matt