Menu
I want to use the auth_request and oauth2_proxy to set a header upon a successful authentication request and then pass that through to the next proxy inline that will handle the actual request.
I've setup NGINX and the various proxies to do their thing, however I'm unsure how to set the header from the server (AUTH PROXY in diagram) that I'm using for the auth request such that that header is passed to the next server (BACKEND SERVER in diagram)
NGINX ---- auth request ----> AUTH PROXY | | <--- 201 <------ SUCCESS | ----> underlying request ----> BACKEND SERVER My NGINX config looks like
server { listen 9123; resolver 10.3.0.2; resolver_timeout 30; location / { auth_request /_auth; proxy_set_header x-user $http_x_user; proxy_pass http://backend_server; } location = /_auth { internal; proxy_pass https://auth; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; } } When I make the actual request I see the following in the NGINX debug logs (this is part of the response from the auth server):
2013/10/14 17:46:42 [debug] 31222#0: *4 http proxy header: "Content-Type: text/html; charset=utf-8" 2013/10/14 17:46:42 [debug] 31222#0: *4 http proxy header: "Date: Mon, 14 Oct 2013 17:46:42 GMT" 2013/10/14 17:46:42 [debug] 31222#0: *4 http proxy header: "Server: nginx/1.2.5" 2013/10/14 17:46:42 [debug] 31222#0: *4 http proxy header: "Vary: Cookie" 2013/10/14 17:46:42 [debug] 31222#0: *4 http proxy header: "x-user: 1" I want to take the x-user header and pass that through to the backend server.
I've tried various combinations in the location / block but none of them have worked yet. E.g.
proxy_set_header x-user $upstream_http_x_user;proxy_set_header x-user $http_x_user;proxy_set_header x-user $sent_http_x_user;proxy_pass_header x-userNone of these seem to work. Any ideas how I can accomplish this task? Please note that it's the auth proxy that's setting the header that I want to pass to the backend server,
722
The path /oauth2/oauth2/auth is redundant since nginx only passes beginning with the 2nd slash, and oauth2_proxy expects the endpoint "/oauth2/auth" as shown on their list of endpoints.
Using the nginx auth_request Module Enter the nginx auth_request module. This module is shipped with nginx, but requires enabling when you compile nginx. When you download the nginx source and compile, just include the --with-http_auth_request_module flag along with any others that you use.
Authentication is required for the IdP to accept token introspection requests from this NGINX instance. The OAuth 2.0 Token Introspection specification mandates authentication, but does not specify the method. In this example, we use a bearer token in the Authorization header.
Here token=$http_apikey indicates that the client must supply the access token in the apikey request header. Of course, the access token can be supplied in any attribute of the request, in which case we use a different NGINX variable.
Woop, figured it out. The correct NGINX config looks like this:
location / { auth_request /_auth; auth_request_set $user $upstream_http_x_user; proxy_set_header x-user $user; proxy_pass http://backend_server; } The issue is that you cannot assign the header directly into another header, you have to use auth_request_set to set the header into a variable and then assign that variable to a header.
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With