HTTP Basic Auth question

Hello,

I am running nginx as a reverse proxy to a python application. I am
wondering how I would be able to pass ONLY the user account and not the
password. Can this be done?

Thanks!

To pass the nginx user to a fastcgi backend (PHP), I have to explicitly
specify it using the following directive:
fastcgi_param MY_USER $remote_user;

I suppose you can do the same with proxy_pass?
I dunno how to remove an automatically forwarded parameter though…
Maybe
overwriting it with an empty string?

B. R.

On Wed, May 01, 2013 at 01:17:41PM -0400, B.R. wrote:

Hi there,

To pass the nginx user to a fastcgi backend (PHP), I have to explicitly
specify it using the following directive:
fastcgi_param MY_USER $remote_user;

I suppose you can do the same with proxy_pass?

That’s how I’d do it – probably proxy_set_header if the python
application is accessed using proxy_pass.

I dunno how to remove an automatically forwarded parameter though… Maybe
overwriting it with an empty string?

The password is in the http header Authorization, so using
proxy_hide_header to avoid sending that should be enough.

On Wed, May 1, 2013 at 10:26 AM, Russ L. [email protected] wrote:

I am running nginx as a reverse proxy to a python application. I am
wondering how I would be able to pass ONLY the user account and not the
password. Can this be done?

As above: how are the user and pass currently sent? It will be by
“fastcgi_pass” or “proxy_pass” or something similar. Use the matching
“_hide_header” directive on the correct header to avoid sending it.

How do you want the user to be sent? Use the variable $remote_user and
the matching “_set_header” or “_param” directive to send the provided
username.

f

Francis D. [email protected]

Hello,

Sorry for the long delay.

I have tried the following configuration which does not seem to work at
all.

proxy_hide_header Authorization;

proxy_set_header Authorization “$remote_user”;|

I can still sniff the traffic on lo and get the base64 user:pass. The
interesting thing is I do not see the Authorization header being sent to
the django app whatsoever. Is there a way I can totally remove the
header even at the loop back level so it is not able to get intercepted?

Thanks,

Russ

----- Original Message -----

From: Francis D. [email protected]
To: [email protected]
Cc:
Sent: Wednesday, May 1, 2013 4:45 PM
Subject: Re: HTTP Basic Auth question

On Wed, May 01, 2013 at 01:17:41PM -0400, B.R. wrote:

Hi there,

To pass the nginx user to a fastcgi backend (PHP), I have to explicitly
specify it using the following directive:
fastcgi_param MY_USER $remote_user;

I suppose you can do the same with proxy_pass?

That’s how I’d do it – probably proxy_set_header if the python
application is accessed using proxy_pass.

I dunno how to remove an automatically forwarded parameter though… Maybe
overwriting it with an empty string?

The password is in the http header Authorization, so using
proxy_hide_header to avoid sending that should be enough.

On Wed, May 1, 2013 at 10:26 AM, Russ L. [email protected] wrote:

I am running nginx as a reverse proxy to a python application. I am
wondering how I would be able to pass ONLY the user account and not the
password. Can this be done?

As above: how are the user and pass currently sent? It will be by
“fastcgi_pass” or “proxy_pass” or something similar. Use the matching
“_hide_header” directive on the correct header to avoid sending it.

How do you want the user to be sent? Use the variable $remote_user and
the matching “_set_header” or “_param” directive to send the provided
username.

f

Francis D. [email protected]


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

On Thu, May 09, 2013 at 12:55:22PM -0700, Russ L. wrote:

Hi there,

I have tried the following configuration which does not seem to work at all.

proxy_hide_header Authorization;

proxy_set_header Authorization “$remote_user”;|

What did you do; what did you see; what did you expect to see?

I can still sniff the traffic on lo and get the base64 user:pass. The
interesting thing is I do not see the Authorization header being sent to the
django app whatsoever. Is there a way I can totally remove the header even at the
loop back level so it is not able to get intercepted?

I don’t understand what it is that you are trying to do, that you have
not yet done.

You seem to say that you do see the Authorization header and that you
don’t see the Authorization header, so I presume I’m misreading
something.

Can you provide a simple nginx configuration that I can use to replicate
whatever the problem is?

f

Francis D. [email protected]