Nginx, apache http authentication – Valuable Tech Notes

I have an nginx reverse proxy server which feeds into a varnish cache with an apache backend.

The php is running as a fastcgi process started from apache.

I was attempting to get some php software working however the basic HTTP Authentication dialog was not accepting any usernames or passwords. I did some digging around and came up with this to put in a .htaccess file:

RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

This has fixed the authentication issue with the basic HTTP auth.

Now I've been attempting to work out what exactly this has done, so my question is: why did adding this rewrite rule make the authentication start working?

All I could come up with at the moment is that somewhere along the chain of nginx -> varnish -> apache, apache was not recieving the auth headers. I would like to understand what is going on here so I can implement a change on the server level that will stop this from occuring elsewhere.

Can someone please clarify?

Thank you

Best Answer

Loosing track of HTTP Authentication seems to be not an issue of nginx or Varnish.

This rewrite rule is not for making authentication header fields accessible to Apache but to the Fast-CGI backend (assuming authentication should be recognized inside PHP).

Authentication headers are usually hidden from Fast-CGI. You can

either use this RewriteRule hack to set the REMOTE_USER environment variable by hand;
or the mod_fastcgi configuration variable to pass headers to Fast-CGI:

FastCgiServer:
[...]

-pass-header header (none)

The name of an HTTP Request Header to be passed in the request environment. This option makes available the contents of headers which are normally not available (e.g. Authorization) to a CGI environment

[...]

Best Answer

Related Solutions

How to prevent Apache from exposing a user’s password

Nginx pass REMOTE_USER to apache2

Related Topic