Authorization header in combination with X-Accel-Redirect

I have one proxy that is handling Authorization of users for media
content. This proxy really does authorize users, returning 403 if they
are not permitted to access a resource. Then I proxy to amazon s3 to a
private bucket. In order to authenticate myself I need to pass an
Authorization header to amazon s3. The name of the header is misleading
because really this is authentication. Is there any way to return that
header in the response from first proxy while returning X-Accel-Redirect
and have it passed to the second proxy?

I’ve tried setting Authorization in my first proxy and then setting
proxy_pass_header Authorization in the location of the second proxy but
it is never passed. Is there any way to do this?

As a hack I’ve successfully set a query argument in X-Accel-Redirect
that I then extract and use to set the Authorization header. This
doesn’t seem right but its working for some reason.

Thanks.

-Ian

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,74809,74809#msg-74809

Hello!

On Wed, Apr 14, 2010 at 05:33:10AM -0400, plantian wrote:

I have one proxy that is handling Authorization of users for
media content. This proxy really does authorize users,
returning 403 if they are not permitted to access a resource.
Then I proxy to amazon s3 to a private bucket. In order to
authenticate myself I need to pass an Authorization header to
amazon s3. The name of the header is misleading because really
this is authentication. Is there any way to return that header
in the response from first proxy while returning
X-Accel-Redirect and have it passed to the second proxy?

So you don’t have Authorization header in original request but
want to add it to proxied request to s3, right?

Solution is to return header content in some custom header from
you redirect script (e.g. X-Auth) and then set it in
request to s3 via proxy_set_header. Tricky part is to extract it from
$upstream_http_x_auth variable before it will be cleared by next
proxy request - this requires an extra “set”.

location /files/ {
    # backend which returns X-Accel-Redirect and X-Auth
    # headers

    proxy_pass ...
}

location /s3/ {
    # proxy to s3

    internal;
    proxy_pass ...

    set $xauth $upstream_http_x_auth;

    proxy_set_header Authorization $xauth;
}

I’ve tried setting Authorization in my first proxy and then
setting proxy_pass_header Authorization in the location of the
second proxy but it is never passed. Is there any way to do
this?

Directive “proxy_pass_header” is to pass headers from backend to
client (make sense for headers which are normally hidden, like
X-Accel-Redirect). It has nothing to do with headers sent to
upstream servers.

As a hack I’ve successfully set a query argument in
X-Accel-Redirect that I then extract and use to set the
Authorization header. This doesn’t seem right but its working
for some reason.

See above for better solution.

Maxim D.

Maxim D. Wrote:

access a resource.

X-Accel-Redirect and have it passed to the
request to s3 via proxy_set_header. Tricky part
proxy_pass …
proxy_set_header Authorization $xauth;
Directive “proxy_pass_header” is to pass headers
from backend to
client (make sense for headers which are normally
hidden, like
X-Accel-Redirect). It has nothing to do with
headers sent to
upstream servers.

This makes sense now, thank you very much.

Maxim D.


nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx

It works flawlessly, thanks.

-Ian

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,74809,75012#msg-75012

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs