nginx sub-request authentication not working as expected

symcbean

12/7/22, 12:35 PM

I want to add access controls to an entire vhost on a reverse proxy. I am using nginx sub-request authentication to do this. The expected interaction is that the user will either get an error message with a link to the login page or have the login page rendered at the requested URL. On completion of the login process, there should be some mechanism for the user to navigate / reload the originally requested URL. There is no scripting capability on the reverse proxy (i.e. no PHP) itself which limits the options for capturing and propagating the original URL through the authentication process.

My expectation: if the request fails authentication (i.e. http://authprovider.example.com:8081/gateway/index.php returns a 401) I want specific content to be returned at the requested URL without a redirect and with a 4xx status.

server {
    listen 80;
    server_name www.example.com;
    root /var/www/html;

    error_page 401 iprestricted.html;
    ## This provides feedback to the user when request is disallowed
    ## (including a link to login)
    # location /iprestricted.html {
    #       try_files $uri $uri/ =404;
    # }

    # This implements the sub-request check....
    location /restricted {
            internal;
            proxy_pass http://authprovider.example.com:8081/gateway/index.php ;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Original-URI $request_uri;
    }
    location / {
            auth_request /restricted;
            proxy_pass http://localwebserver/;
    }
}

However:

If location /iprestricted.html{...} is commented out, I get a redirect loop at http://www.example.com

If it is uncommented, then any requests get a 302 response with Location /iprestricted.html which returns a 200 status code

How to implement sub-request authentication without redirects?

Is there another way to capture the original URL and propagating this through to the authentication step using just nginx config?

I did try adding add_header WWW-Authenticate "Basic realm=bipdevtest"; in each and both the locations above but this was not sent back in the HTTP responses.

612

1 + 0

nginx

authentication

Score:0

Server

symcbean

12/7/22, 4:06 PM

Always a good idea to RTFM

Nginx will relay a WWW-Authenticate header if it is returned by the auth_request provider (http://authprovider.example.com:8081/gateway/index.php in the above).

However I will leave the question open, as I'm confused/concerned about the custom error page resulting in a 302 redirect followed by a 200 response.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: nginx sub-request authentication not working as expected

TH: การตรวจสอบคำขอย่อย nginx ไม่ทำงานตามที่คาดไว้

RO: Autentificarea sub-solicitarii nginx nu funcționează conform așteptărilor

RU: Аутентификация подзапроса nginx не работает должным образом

VI: xác thực yêu cầu phụ nginx không hoạt động như mong đợi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.