Hello to everybody, my name is Simone Saravalli and I’m new to NGINX
world.
This is my problem: I set up NGINX as a reverse proxy to a backend
server with Apache. On NGINX side I configured basic authentication for
/ location:
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
proxy_pass http://xxx.xxx.xxx.xxx;
proxy_redirect off;
proxy_set_header Authorization "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
In this way, when a user goes to http://192.168.0.10 (say the ip of the
NGINX reverse proxy), he’s prompted for username/password and then
redirected to http://xxx.xxx.xxx.xxx as expected.
The problem: if on Apache I set another step of authentication (basic
auth, LDAP) something goes wrong. From NGINX’s logs I see when I sent
username/password for Apache. From Apache’s logs I cannot see anything.
Obviously I got an error because NGINX doesn’t know these
username/password because they are for Apache.
How can I solve this problem?
Thanks in advance for any reply. Regards.
Posted at Nginx Forum:
On Wednesday 31 of August 2011 12:07:27 ssaravalli wrote:
proxy_pass http://xxx.xxx.xxx.xxx;
proxy_redirect off;
proxy_set_header Authorization "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
You’re removing Authorization request header before sending request to
Apache
server. That’s why Apache cannot authenticate user.
Comment-out the following line and try again:
proxy_set_header Authorization “”;
Best regards, Brane
Brane F. Gračnar Wrote:
You’re removing Authorization request header
before sending request to Apache
server. That’s why Apache cannot authenticate
user.
Comment-out the following line and try again:
proxy_set_header Authorization “”;
Hello Brane and thank you for your fast reply. I’ve commented the line
and restarted NGINX; now the behaviour is:
- I log to NGINX url and I give username and password. From backend
Apache’s access.log, with proxy_set_header Authorization “”; for
NGINX disabled, now I see a log like this:
Aug 31 13:07:42 intranet intranet: “” “, ”
“” “[31/Aug/2011:13:07:42 +0200]” “GET / HTTP/1.0” “34”
“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1
(KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1”
And from Apache’s error log I see:
[Wed Aug 31 13:07:42 2011] [warn] [client ] [2903] auth_ldap
authenticate: user authentication failed; URI / [User not
found][No such object]
So username and password for NGINX are forwarded also to Apache. These
errors where not displayed with the directive enabled.
- I provide username and password for Apache’s backend then from NGINX
error.log I receive this error:
2011/08/31 13:01:19 [error] 6541#0: *5 user “” was not
found in “/etc/nginx/htpasswd”, client: , server: ,
request: “GET / HTTP/1.1”, host: “”
NGINX tries to find the credentials provided into
/etc/nginx/htpasswd, insted of forward the request to the backend
server.
Posted at Nginx Forum:
Igor S. Wrote:
You should
- use either the same user/password on both nginx
and Apache,
It’s not possible in my situation. NGINX uses basic auth based on a
file, while Apache uses basic auth through LDAP.
- or enable authentication only on one host: on
nginx OR Apache,
I can’t because I need two layer of authentication. The first one on
NGINX and the second one on the web apps with authentication based on
our LDAP server.
-
or enable authentication on nginx and go to
Apache as some
backend user:
proxy_set_header Authorization
base64_encoding_of_“user:password”;
This is not my case.
So, is there a way to tell NGINX to manage only the first authentication
level and when the user provides username/password (LDAP) for the
backend web app, these credentials must be managed by the backend web
server?
Another solution may be to keep on the backend the LDAP auth and on the
frontend (NGINX) a form based authentication?
Thanks, Simone Saravalli
Posted at Nginx Forum:
Hello!
On Thu, Sep 01, 2011 at 10:19:57AM -0400, ssaravalli wrote:
[…]
So, is there a way to tell NGINX to manage only the first authentication
level and when the user provides username/password (LDAP) for the
backend web app, these credentials must be managed by the backend web
server?
There is no levels of authentication possible in HTTP
authentication.
More strictly, there are two levels: proxy and client. The
proxy level is reserved to working with proxies, and it’s not
generally possible to use it anywhere else (additionally, I
believe it’s not supported by majority of software).
Please refer to RFC 2616 and RFC 2617 for more details.
Another solution may be to keep on the backend the LDAP auth and on the
frontend (NGINX) a form based authentication?
This should work.
Maxim D.
On Wed, Aug 31, 2011 at 07:15:57AM -0400, ssaravalli wrote:
proxy_set_header Authorization “”;
“” “[31/Aug/2011:13:07:42 +0200]” “GET / HTTP/1.0” “34”
errors where not displayed with the directive enabled.
NGINX tries to find the credentials provided into
/etc/nginx/htpasswd, insted of forward the request to the backend
server.
You should
-
use either the same user/password on both nginx and Apache,
-
or enable authentication only on one host: on nginx OR Apache,
-
or enable authentication on nginx and go to Apache as some
backend user:
proxy_set_header Authorization
base64_encoding_of_“user:password”;
–
Igor S.
Hello Maxim
Maxim D. Wrote:
username/password (LDAP) for the
proxy level is reserved to working with proxies,
and it’s not
generally possible to use it anywhere else
(additionally, I
believe it’s not supported by majority of
software).
Please refer to RFC 2616 and RFC 2617 for more
details.
ok, trank you
Another solution may be to keep on the backend
the LDAP auth and on the
frontend (NGINX) a form based authentication?
This should work.
I’ll try with this solution. Thank you for your reply!
Posted at Nginx Forum: