Nginx – Pass a cookie back to a user before proxy_pass

nginx

I've been setting up an nginx reverse proxy to handle requests based on logging in against a LDAP database. The basic guide is here https://github.com/nginxinc/nginx-ldap-auth . The problem I have is that I want to set an expiry time on the cookie (easy to do), and that every time any resource is accessed, the expiry time gets bumped ten minutes into the future. I don't have access to the code beyond the proxy, so I can't get that to update the cookie, but I do have some python code which receives the auth_request. What I would ideally like is for the cookie to be returned to the user, and then redirected to the proxy_pass.

Here is a fragment of my nginx.conf

server {
    listen 80;
    location / {
         auth_request /auth_proxy; #the python authentication routine checks the cookie at this address.
         error_page 401 403 =200 /login #Python login page
         proxy_pass http://ADifferentServerWhenLoggedIn.org.
    }
}

Thanks

Best Answer

What you could do is following the example provided in the docs for auth_request and provide a location corresponding to the authentication path.

You could then use add_header to insert HTTP headers such as Set-Cookie.

Related Solutions

Nginx : backend https, proxy_pass shows ip

proxy_redirect off should do the trick. I think you should also change your proxy_pass to use SSL if you want to use SSL for your backend. Although a Unix socket would be much better to tighten security and still keep a fast connection.

My recommended nginx.conf:

# /etc/nginx/nginx.conf

user www-data;
worker_processes 2; # Do you really have two CPU cores?
events {
  multi_accept        on;
  worker_connections  768;
  use                 epoll;
}
http {
  charset                         utf-8;
  client_body_timeout             65;
  client_header_timeout           65;
  client_max_body_size            10m;
  default_type                    application/octet-stream;
  index                           index.html index.php /index.php;
  keepalive_timeout               20;
  reset_timedout_connection       on;
  send_timeout                    65;
  sendfile                        on;
  server_names_hash_bucket_size   64;
  tcp_nodelay                     off;
  tcp_nopush                      on;
  gzip              on;
  gzip_buffers      32 4k;
  gzip_comp_level   2;
  gzip_disable      "msie6";
  gzip_http_version 1.1;
  gzip_min_length   1100;
  gzip_proxied      any;
  gzip_static       on;
  gzip_types
    #text/html is always compressed by HttpGzipModule
    text/css
    text/plain
    application/javascript
    application/x-javascript
    application/json
    application/x-json
    application/rss+xml
    application/xml
    application/vnd.ms-fontobject
    font/truetype
    font/opentype
    image/x-icon
    image/svg+xml;
  gzip_vary         on;
  include                        mime.types;
  include                        conf.d/*.conf;
  include                        sites-enabled/*;
}

My recommended virtual host configuration:

# /etc/nginx/sites-available/default.conf

proxy_cache_key "$scheme://$host$request_uri";
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m inactive=7d max_size=700m;

server {
  listen 80;
  server_name example.com;
  access_log off;
  root /var/www;

  # Consider using a map for this! If is bad!
  if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
  }

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
    proxy_intercept_errors on;
    proxy_buffering on;
    proxy_pass http://127.0.0.1:port$request_uri;
  }
}

Have a look at my nginx configuration at GitHub for more advanced stuff (not finished yet, have to write more comments first): https://github.com/Fleshgrinder/nginx

Nginx – Inconsistent behavior with Nginx’s auth_request_set and more_set_input_headers

This behaviour is likely due to the fact that more_set_input_headers handler is executed before access phase (where auth_request works), and hence only changes a request if it's internally redirected.

Solution to the problem is to stop using more_set_input_headers (it's anyway very wrong, request headers shouldn't be changed) and use native fastcgi_param instead:

fastcgi_param HTTP_X_TEST_HEADER $auth_header;

Copied from http://mailman.nginx.org/pipermail/nginx/2014-June/044281.html.

Best Answer

Related Solutions

Nginx : backend https, proxy_pass shows ip

Nginx – Inconsistent behavior with Nginx’s auth_request_set and more_set_input_headers

Related Topic