Nginx auth_request handle saml 302 redirects - nginx

I am using Nginx as a reverse proxy. Also, I am using auth_request feature to protect my resources. For that, auth_request always goes through authrization server where I am using SAML authentication. While authenticating, there is a redirect 302 to IDP (ssocircle in this case) which I am trying to follow at Nginx but I am always ending up with below error:
no resolver defined to resolve idp.ssocircle.com while sending to
client, client: 127.0.0.1, server: , request: "GET / HTTP/1.1",
subrequest: "/saml/login", host: "localhost:9000"
*1269 auth request unexpected status: 502 while sending to client, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", host:
"localhost:9000"
Here is my Nginx configuration:
server{
listen 9000 ;
auth_request /saml/login;
proxy_intercept_errors on;
error_page 301 302 307 = #handle_redirects ;
location /saml/login {
resolver 46.4.112.4 valid=300s;
internal;
proxy_set_header Host $host;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_pass http://localhost:9090/ ; # url to authorization server
}
location #handle_redirects {
set $saved_redirect_location '$upstream_http_location';
proxy_pass $saved_redirect_location;
}
location / {
root data/www;
}
location /images/ {
root data/ ;
}
}
I tried adding the resolver 46.4.112.4 IP of ssocircle but it didn't work.
Basically, I want to follow the redirect from my authorization server and have user to authenticate themselves at the IDP and return back to the original URL.
I am very new to Nginx. Any help will be much appreciated.
Edit : I am able to resolve the issue stated above. Restarting the Nginx worked for me. But again I am getting this error:
auth request unexpected status: 302 while sending to client,

Related

NGINX doesn't redirect on auth_request 302

I have a NGINX reverse proxy also serving static content on / with following config
location / {
auth_request /authn;
proxy_intercept_errors on;
recursive_error_pages on;
error_page 301 302 303 307 308 = #handle_redirect;
gzip_static on;
index index.html;
root /usr/share/nginx/html;
try_files $uri $uri/ #index;
}
location /authn {
set $target http://gateway:8030/authn;
proxy_pass http://gateway:8030/authn;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_pass_request_headers on;
proxy_intercept_errors on;
recursive_error_pages on;
error_page 301 302 303 307 308 #handle_redirect;
}
location #handle_redirect {
proxy_set_header Host $host:$server_port;
set $redirect_url $upstream_http_location;
proxy_pass $redirect_url;
}
The goal is to check the user in authenticated by subrequest to /authn endpoint, which will return 302 and Location header if user is not. But client gets 500 from NGINX with error log like
auth request unexpected status: 500 while sending to client
I also have a /root endpoint which poxy-passes directly to /authn gateway which correctly redirects to login page and authenticates client. I've tried instead of handling redirects in subrequests proxy-pass requests to this endpoint with setting
location /root {
set $target http://top-gateway:8030/authn;
proxy_pass http://top-gateway:8030/authn;
}
location /authn {
...
error_page 301 302 303 307 308 /root;
But in this case I get 500 and
auth request unexpected status: 302 while sending to client
in NGINX error.log
Why NGINX doesn't handle redirects correctly with this settings and how to correctly solve this?
Perhaps this is useful for you in order to know why it fails, maybe I am late but I found this thread finding to do something similar.
https://nginx-devel.nginx.narkive.com/0cH1MZv7/patch-allow-http-auth-request-module-to-forward-302-responses
The link shows a conversation between an Nginx developer and a user that was motivated to write a patch. It seems Nginx only support 2xx and 4xx codes for auth_request. But you could do something like this if you control the application as shown in that link.
location / {
auth_request /auth;
auth_request_set $auth_redirect $upstream_http_location;
error_page 401 = /auth_redirect;
}
location /auth {
proxy_pass http://auth_backend;
...
}
location /auth_redirect {
return 302 $auth_redirect;
}
Also, It was useful for me to read this (not the same, but a clue to some ideas):
How do I make web service calls within nginx?
This link shows a simple introduction (that you could find it in the documentation) about auth_request_set.
auth_request_set $x_upstreamhost $upstream_http_x_upstreamhost;
Also, here is a deep level of the code implementation of auth_request.
https://www.nginx.com/resources/wiki/extending/examples/auth_request/
This link shows a Code Breakdown of the implementation of auth_request. I can not include that here.
Cheers,

Nginx forward proxy based on header value

I want to use nginx as forward proxy, but rewrite (also the host part) the URL based on a header value.
Suppose the browser connect to nginx on port 8888 with a regular http request. The header ha the pair:
X-myattribute: https://somehost.com
nginx should proxy_pass to https://somehost.com
My nginx.conf is now:
server {
listen 8888;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass https://$http_myattribute;
# proxy_pass http://$http_host$uri$is_args$args;
proxy_set_header Host $http_host;
}
}
}
but I get:
2018/08/16 19:44:08 [error] 9#0: *1 invalid port in upstream "https://somehost.com:443", client: 172.17.0.1, server: , request: "GET / HTTP/1.1", host: "localhost:8888"
2018/08/16 19:47:25 [error] 9#0: *1 invalid URL prefix in "https://somehost.com:443", client: 172.17.0.1, server: , request: "GET / HTTP/1.1", host: "localhost:8888"
(two lines depending if I set proxy_pass http://$X-myattribute or proxy_pass https://$X-myattribute or proxy_pass $X-myattribute. Assume X-myattribute always have http:// or https://)
Any suggestion?

[Nginx][Gogs] Serving gogs through nginx

I'm running through an issue setting up Gogs through Nginx on my raspberry.
I just want to be able to redirect http://raspberry-ip-address:3000 to http://raspberry-ip-address/gogs.
Below my nginx virtualhost conf :
server {
listen 80;
server_name localhost;
location /gogs/ {
proxy_pass http://localhost:3000;
}
}
When I go on http:// raspberry-ip-address:3000, I get the installation page from gogs -> so Gogs is runnning well.
When I go on http:// raspberry-ip-address/gogs, I got a 404 Not found error. however the log from Gogs is somehow "reacting" because I get :
[Macaron] 2016-08-24 14:40:30: Started GET /gogs/ for 127.0.0.1
[Macaron] 2016-08-24 14:40:30: Completed /gogs/ 302 Found in 1.795306ms
2016/08/24 14:40:30 [D] Session ID: 8e0bbb6ab5478dde
2016/08/24 14:40:30 [D] CSRF Token: YfL58XxZUDgwim9qBCosC7EXIGM6MTQ3MTk4MDMxMzMxMTQ3MjgzOQ==
For more information here is my nginx/error.log :
request: "GET /localhost HTTP/1.1", host: "192.168.1.15"
2016/08/24 14:40:30 [error] 3191#0: *4 open() "/usr/share/nginx/html/install" failed (2: No such file or directory), client: 192.168.1.12, server: localhost, request: "GET /install HTTP/1.1", host: "192.168.1.15"
It seems to me that Nginx is not redirecting correctly the request. Any idea ?
Thanks ;)
For me the following config works:
location /gogs/ {
proxy_pass http://localhost:3000/;
}
but the following (what you posted) produces the error you mentioned:
location /gogs/ {
proxy_pass http://localhost:3000;
}
note the / and the and of the url.
A HTTP redirect (30x) does not solve the problem, because it will redirect to localhost which is not the raspberry pi but the computer that does the request.
Complete nginx conf in /etc/nginx/nginx.conf:
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /git/ {
proxy_pass http://127.0.0.1:3333/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

nginx not caching response from reverse proxy

http://nginx.org/en/docs/http/ngx_http_memcached_module.html
Basic config is here:
worker_processes 2;
events {
worker_connections 1024;
}
error_log /var/log/nginx/nginx_error.log warn;
error_log /var/log/nginx/nginx_error.log info;
http {
upstream backend {
server localhost:3000;
}
server {
listen 80;
location / {
set $memcached_key $uri;
memcached_pass 127.0.0.1:11211;
error_page 404 = #fallback;
}
location #fallback {
proxy_pass http://backend;
}
}
}
It reverse proxy's the request when hitting port 80, but the logs always say:
2016/08/23 15:25:19 [info] 68964#0: *4 key: "/users/12" was not found by memcached while reading response header from upstream, client: 127.0.0.1, server: , request: "GET /users/12 HTTP/1.1", upstream: "memcached://127.0.0.1:11211", host: "localhost"
Nginx Memcached module does not write to the Memcached server. You should do this in your backend (for example PHP) using the $memcached_key

xml sitemap forbidden for access via nginx

My nginx site configuraton:
upstream nodeName {
server serverIp:7050;
server serverIp:7049 backup;
}
server {
listen 80;
server_name domain.com;
gzip_types application/x-javascript text/css;
access_log /pathToLogs/log.access.log;
location / {
proxy_pass http://nodeName/;
}
location ~ ^/(min/|images/|bootstrap/|ckeditor/|img/|javascripts/|apple-touch-icon-ipad.png|apple-touch-icon-ipad3.png|apple-touch-icon-iphone.png|apple-touch-icon-iphone4.png|generated/|js/|css/|stylesheets/|robots.txt|humans.txt|favicon.ico|xml/) {
root /pathToSite/appdirectory-build;
access_log off;
expires max;
}
}
I want to get sitemap.xml by url http://example.com/xml/sitemap.xml but it gives me
403 Forbidden
nginx/1.4.6 (Ubuntu)
Update
In nginx error log file:
2014/10/09 [error] 16094#0: *49762240 open() "/pathToSite/appdirectory-build/xml/sitemapCallEn.xml" failed (13: Permission denied), client: Ip, server: domain.com, request: "GET /xml/sitemapCallEn.txt HTTP/1.1", host: "domain"
How to change permission and allow to open xml file?
Look into nginx error log. You will find answer there. It's file permission issue likely

Resources