The CDH Solr admin page is configured with Kerberos authentication so it cannot be access in Web browser.
I plan to use Nginx as a proxy service to act Kerberos authentication and redirect the web request to Solr admin page.
Already used the spnego module 'https://github.com/stnoonan/spnego-http-auth-nginx-module'. And set the conf file like below.
location / {
auth_gss on;
auth_gss_realm EXAMPLE.ORG;
auth_gss_service_name "HTTP/test.example.org";
auth_gss_keytab /etc/krb5.keytab;
return 301 xxxxx;
But it doesn't work. The web page still shows 403. Does anyone know how to solve this problem?
Related
I have a WebDAV server set up, with its root folder /SomeVolume/webdav/contents and address 192.168.1.2:12345. User and password are set and the server can be accessed from a browser.
I am directing a domain name to the same machine using nginx, like this:
server {
server_name my.domain.me;
location / {
proxy_pass http://192.168.1.2:12345;
}
# plus the usual Certbot SSL stuff
This was working perfectly well, with HTTPS authentication and everything. I am using a third-party application that uses that server and it was working OK too.
I wanted to make this a bit more tidy and only changed couple of things:
WebDav server root to /SomeVolume/webdav (instead of /SomeVolume/webdav/contents), restarted the server.
proxy_pass http://192.168.1.2:12345 changed to proxy_pass http://192.168.1.2:12345/contents. Restarted ngninx.
Nothing else was modified.
I can still login through the browser, but the third-party application has stopped working because it gets authentication errors (401). Although if I try to login locally with http://192.168.1.2:12345/contents/ it works just fine.
What am I not understanding here? Is it some caching problem with the third-party application or have I misunderstood how location & proxy_pass work?
Thanks.
I run Grafana with a custom root url behind an Nginx reverse proxy, based on what is shown at https://grafana.com/tutorials/run-grafana-behind-a-proxy/ but when i try to access site.com/grafana, i get a 401 unauthorized with the following json response :
{"message":"invalid username or password","traceID":""}
i have tried multiple nginx and docker setups but nothing works.
This is an nginx auth_basic issue, i don't know why, but i never encountered this issue with any other app.
Basically, auth_basic login and password are proxied to grafana, and there are no possibilities to try other logins.
To solve this i had to set
proxy_set_header Authorization "";
in nginx conf and voilĂ
Have the UI hosted on example.com and backend hosted on api.example.com
In a specific OAuth scenario api.example.com returns a 404 for this url
https://api.example.com/ng/login?error=access_denied&state=bQ9lk2#
I would like to handle this 404 in nginx and redirect it to
https://example.com/ng/login?error=access_denied&state=bQ9lk2# [without the api subdomain]
How do I do this preserving the query params
Never mind, it was easier to handle the redirect in app server itself. Left nginx alone.
Consider a dockerized environment containing the following containers:
Backend API
Front-end REACT App served using pushstate-server
Authentication Service
Nginx Container
My nginx.conf contains the following:
server {
listen 8080;
location / {
auth_request /auth;
proxy_pass http://frontend:5000;
}
location = /auth {
proxy_pass http://auth:6000;
}
error_page 403 = #error403;
location #error403 {
rewrite ^ /login$1;
proxy_pass http://frontend:5000;
}
}
When the auth_request /auth; line is commented out, everything works just fine and all frontend pages can be accessed.
As soon as I introduce the auth_request I can see the authentication service return a 403 however, it does not look like Nginx proxies to the login page.
What am I doing wrong?
There are two issues here:
Firstly, the authorization header is not forwarded to the authentication service. This was fixed with
location = /auth {
proxy_pass http://auth:6000;
proxy_pass_header Authorization;
}
Secondly, when a request is made to the frontend, nginx tries to authenticate with the auth container. As I am not authenticated, this fails and returns a 403. The nginx server then proxies to the login page on the REACT container, however, there are further request behind the scenes to retrieve css and js resources from the same container, for which the nginx gateway tries to authenticate. Again, as I am not authenticated retrieving these resources fails, so the page does not render.
A dirty solution was to add:
location /static/js/main.1e2389bc.js {
proxy_pass http://web:5000;
}
location /static/css/main.aa587518.css {
proxy_pass http://web:5000;
}
This retrieves the necessary files to render the login page with trying to authenticate. This is a bad solution as there may be other resources (favicon, other media etc.) so more blocks would need to be added. I am sure there is a simple solution using regex to sort this out in a simple way.
However, I ended up with a cleaner solution. Authenticate on requests to the backend API. This ensured that no sensitive information was displayed on the frontend without being authenticated and removed the hassle of hacking a solution to render the login page.
I've added sqlbuddy on my nginx server for remote management of my db. To that I've added .htaccess and password protection. However if I click on cancel in the authentication prompt / window I can still access the login for sqlbuddy. I can login and see a few parts of the UI. If I access the browser source I can see more data. How do I stop this? What's the best setup for this in nginx?
This is nginx conf:
location /sqlbuddy {
auth_basic "Administrator Login";
auth_basic_user_file /opt/nginx/html/sqlbuddy/.htpasswd;
}