nginx 的 auth http 请求模块不工作给出 500 错误
auth htp request module of nginx is not working giving 500 error
我正在尝试配置 http_auth_request_module,但我的身份验证请求 url 不起作用,但如果我传递 "return 200" 而不是 url 代理传递,那么它可以工作,但是不是基于 proxy_pass 的 url。从 URL.
获取状态代码需要传递的过程和请求 url 模式是什么
server { server_name xx.xx6.1x5.1x5;
listen 80;
client_max_body_size 4G;
access_log /home/ubuntu/logs/nginx-access.log;
error_log /home/ubuntu/logs/nginx-error.log;
location / {
auth_request /auth;
error_page 401 = @error401;
auth_request_set $user $upstream_http_x_forwarded_user;
proxy_set_header X-Forwarded-User $user;
proxy_pass http://1x.2xx.22x.1x4:9200;
}
location @error401 {
return 302 https://gmail.com;
}
location /auth {
internal;
#return 200; ##it's working
proxy_pass https://google.com; ##it's not working giving error 500
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
这就是它在我的服务器上的工作方式。 nginX 配置是
location ~ ^/attached {
auth_request /auth-here;
}
location /auth-here {
proxy_pass http://example.com/auth.php;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location / {
try_files $uri $uri/ @rewrites;
}
location @rewrites {
rewrite ^/apple /favicon.ico break;
rewrite ^ /index.php last;
}
然后auth.php
的内容
session_start();
// check whether the user is logged in - using whatever mechanism your application is using
if(!$logged_in)
{
$u = trim($_SERVER['PHP_AUTH_USER']);
$p = trim($_SERVER['PHP_AUTH_PW']);
// if no Authorization provided - ask for one
if($u=='' OR $p=='')
{
header('WWW-Authenticate: Basic realm="Your session timed out - login again"');
header('HTTP/1.0 401 Unauthorized');
echo 'Bad login - wrong username or password';
die;
}
else
{
// try to login using the provided credentials
if(tryLogin($u,$p))
{
// we are now logged in
}
else
{
// could not login - ask authorization again
header('WWW-Authenticate: Basic realm="Your session timed out - login again"');
header('HTTP/1.0 401 Unauthorized');
echo 'Bad login - wrong username or password';
die;
}
}
}
基本上,如果用户已登录,我们什么都不做。如果 he/she 未登录 - 我们要求提供凭据(或者您可以简单地 return 403)
检查Sub-request认证如果sub-request认证成功则给200,父请求通过
我正在尝试配置 http_auth_request_module,但我的身份验证请求 url 不起作用,但如果我传递 "return 200" 而不是 url 代理传递,那么它可以工作,但是不是基于 proxy_pass 的 url。从 URL.
获取状态代码需要传递的过程和请求 url 模式是什么server { server_name xx.xx6.1x5.1x5;
listen 80;
client_max_body_size 4G;
access_log /home/ubuntu/logs/nginx-access.log;
error_log /home/ubuntu/logs/nginx-error.log;
location / {
auth_request /auth;
error_page 401 = @error401;
auth_request_set $user $upstream_http_x_forwarded_user;
proxy_set_header X-Forwarded-User $user;
proxy_pass http://1x.2xx.22x.1x4:9200;
}
location @error401 {
return 302 https://gmail.com;
}
location /auth {
internal;
#return 200; ##it's working
proxy_pass https://google.com; ##it's not working giving error 500
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
这就是它在我的服务器上的工作方式。 nginX 配置是
location ~ ^/attached {
auth_request /auth-here;
}
location /auth-here {
proxy_pass http://example.com/auth.php;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location / {
try_files $uri $uri/ @rewrites;
}
location @rewrites {
rewrite ^/apple /favicon.ico break;
rewrite ^ /index.php last;
}
然后auth.php
session_start();
// check whether the user is logged in - using whatever mechanism your application is using
if(!$logged_in)
{
$u = trim($_SERVER['PHP_AUTH_USER']);
$p = trim($_SERVER['PHP_AUTH_PW']);
// if no Authorization provided - ask for one
if($u=='' OR $p=='')
{
header('WWW-Authenticate: Basic realm="Your session timed out - login again"');
header('HTTP/1.0 401 Unauthorized');
echo 'Bad login - wrong username or password';
die;
}
else
{
// try to login using the provided credentials
if(tryLogin($u,$p))
{
// we are now logged in
}
else
{
// could not login - ask authorization again
header('WWW-Authenticate: Basic realm="Your session timed out - login again"');
header('HTTP/1.0 401 Unauthorized');
echo 'Bad login - wrong username or password';
die;
}
}
}
基本上,如果用户已登录,我们什么都不做。如果 he/she 未登录 - 我们要求提供凭据(或者您可以简单地 return 403)
检查Sub-request认证如果sub-request认证成功则给200,父请求通过