Nginx – Reverse proxy to IIS6 with auth

authenticationhttpiis-6nginxreverse-proxy

for testing purpose, i've setup a nginx reverse proxy for an IIS6 server, this works OK.

But when i try to use "windows authentication" on the IIS6 web site, the browser auth input doesn't get's there.

After some reading, i found the obvious 🙂
nginx doesn't support HTTP/1.1 for reverse proxy yet!

My question: Does anyone knows a "workaround" for this type of request?

Thanks

Best Answer

I've partially got this working in a test environment here.

Background

We have IIS6 serving our intranet CMS (the CMS is an ISAPI plugin). This is with the site setup in IIS for integrated windows authentication (for both security & user personalisation).

I want to get gzip compression enabled but due to some of the features we have switched on in our CMS we can't do this via IIS's gzip settings (it crashes upon every request to the CMS if we do).

So, I'm currently testing a setup with an nginx reverse proxy infront of IIS doing the content gzipping.

What works/what doesn't?

IE6/7 auth via this setup still works fine, I didn't have to make any changes.

Firefox however needed a change. Before, without nginx, Firefox had network.automatic-ntlm-auth.trusted-uris set to allow our intranet server to do transparent NTLM auth. Once nginx was part of the mix you'd just get repeatedly shown the site login box and your credentials would never be accepted. However, adding the intranet server to network.negotiate-auth.trusted-uris fixed this (for Firefox on Windows but not on OS X). It seems the authentication method may have changed slightly? Where allowing NTLM auth before worked fine it now seems to be doing SPENGO?

So the current situation with nginx in front of IIS6 has left me with:

Works

IE6 on XP
IE7 on XP
FF3.5 on XP (after changing about:config)

Doesn't work (credentials never accepted)

FF3.5 on OS X
Safari 3 on OS X
Safari 4 on XP
Blackberry 8700 (Simulator)
Blackberry 9000 (Simulator)

At a guess as to why mine (partially) works and yours doesn't... Possibly something crucial to proxying the auth handshake that's in my config but missing from yours? Such as forwarding the real client IP? The relevant server section of my nginx config is below if you want to give it a try.

server {
    listen 80;
    server_name testintralive;

    location / {
        proxy_pass http://localhost:81;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        proxy_connect_timeout 30;
        proxy_read_timeout 120;
    }
}

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Nginx reverse proxy – passthrough basic authenication

I think nginx is blocking request headers and not sending them to IIS. Try setting

proxy_pass_request_headers on;

on your location block.

Greetings.

Best Answer

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Nginx reverse proxy – passthrough basic authenication

Related Topic