headers 认证后从 apache 到 nginx
headers from apache to nginx after authentication
我有 Nginx 服务器向 Apache 服务器发送受保护内容的请求,Apache 转而转发到 Azure ADFS,使用 Apache mod_auth_openidc 进行 Azure ADFS 身份验证。
虽然下面工作正常:
Apache:443/ourapp -> Apache:6000 -> Azure ADFS -> Apache:6000 -> Apache:443/ourapp
但是一旦在如下设置中引入 nginx,浏览器就会出错 pops-up“在继续请求中找不到非空 header(se_custid/ein)”。 =15=]
Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Apache:6000 -> Nginx:443/ourapp
Apache 配置:
<Location /ourapp>
AuthType openid-connect
Require valid-user
</Location>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXX
OIDCRedirectURI https://forever-authcheck.tire1network.com:6000/ourapp
OIDCCryptoPassphrase XXXXXXXXXXXX
OIDCScope "openid email profile"
#OIDCRemoteUserClaim email
OIDCProviderAuthorizationEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/authorize
OIDCProviderTokenEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/token
#OIDCPKCEMethod S256
OIDCPassIDTokenAs claims
OIDCCookiePath /
OIDCCookieDomain forever-authcheck.tire1network.com
OIDCCookie APP-OIDC-SESSION
OIDCCookieHTTPOnly On
OIDCSessionInactivityTimeout 600
OIDCSessionMaxDuration 36006
<VirtualHost *:6000>
ProxyPreserveHost On
ErrorLog /var/log/httpd/voidcerror.log
LogLevel debug
ServerName forever-authcheck.tire1network.com
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
ProxyPreserveHost On
Header set ein %{OIDC_CLAIM_EIN}e
ProxyPass /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPassReverse /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPreserveHost On
ServerName forever-authcheck.tire1network.com
SSLEngine on
SSLCertificateFile "/etc/pki/outcert/Certificate.pem"
SSLCertificateKeyFile "/etc/pki/outcert/CertificateKey.pem"
SSLCertificateChainFile "/etc/pki/outcert/CertificateChain.p12"
</VirtualHost>
Nginx 配置:
nginx:80
location /ourapp/ {
proxy_ssl_server_name on;
proxy_pass https://forever-authcheck.tire1network.com:6000;
proxy_set_header se-journey "direct";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_redirect default;
proxy_ssl_certificate /etc/pki/outcert/Certificate.pem;
proxy_ssl_certificate_key /etc/pki/outcert/CertificateKey.pem;
proxy_ssl_verify off;
}
问题:如何将正确的 headers 从 apache 转发到 nginx
我认为需要转发给 nginx 的有趣 headers apache 是“{OIDC_CLAIM_EIN}”
好吧,围绕理解做了一些 tshoot,部署了另一个临时设置以理解挖掘更多日志。
这里是目前理解的User Request -> Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Azure Returns URL到浏览器 -> 浏览器请求返回的URL
通过仔细查看日志,很清楚发生了什么,
更多关于这个帮助它理解它 more
调整 ngnix 以发送正确的 headers 端口和正确的主机后,
proxy_set_header X-Forwarded-Port "443";
proxy_set_header X-Forwarded-Host "forever-authcheck.tire1network.com";
这导致 apache 和 mod_auth_openidc 为 original_url 设置了正确的 cookie。
现在重定向工作正常,索赔到达 NGINX 和我们的应用程序。
我有 Nginx 服务器向 Apache 服务器发送受保护内容的请求,Apache 转而转发到 Azure ADFS,使用 Apache mod_auth_openidc 进行 Azure ADFS 身份验证。
虽然下面工作正常:
Apache:443/ourapp -> Apache:6000 -> Azure ADFS -> Apache:6000 -> Apache:443/ourapp
但是一旦在如下设置中引入 nginx,浏览器就会出错 pops-up“在继续请求中找不到非空 header(se_custid/ein)”。 =15=]
Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Apache:6000 -> Nginx:443/ourapp
Apache 配置:
<Location /ourapp>
AuthType openid-connect
Require valid-user
</Location>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXX
OIDCRedirectURI https://forever-authcheck.tire1network.com:6000/ourapp
OIDCCryptoPassphrase XXXXXXXXXXXX
OIDCScope "openid email profile"
#OIDCRemoteUserClaim email
OIDCProviderAuthorizationEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/authorize
OIDCProviderTokenEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/token
#OIDCPKCEMethod S256
OIDCPassIDTokenAs claims
OIDCCookiePath /
OIDCCookieDomain forever-authcheck.tire1network.com
OIDCCookie APP-OIDC-SESSION
OIDCCookieHTTPOnly On
OIDCSessionInactivityTimeout 600
OIDCSessionMaxDuration 36006
<VirtualHost *:6000>
ProxyPreserveHost On
ErrorLog /var/log/httpd/voidcerror.log
LogLevel debug
ServerName forever-authcheck.tire1network.com
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
ProxyPreserveHost On
Header set ein %{OIDC_CLAIM_EIN}e
ProxyPass /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPassReverse /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPreserveHost On
ServerName forever-authcheck.tire1network.com
SSLEngine on
SSLCertificateFile "/etc/pki/outcert/Certificate.pem"
SSLCertificateKeyFile "/etc/pki/outcert/CertificateKey.pem"
SSLCertificateChainFile "/etc/pki/outcert/CertificateChain.p12"
</VirtualHost>
Nginx 配置:
nginx:80
location /ourapp/ {
proxy_ssl_server_name on;
proxy_pass https://forever-authcheck.tire1network.com:6000;
proxy_set_header se-journey "direct";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_redirect default;
proxy_ssl_certificate /etc/pki/outcert/Certificate.pem;
proxy_ssl_certificate_key /etc/pki/outcert/CertificateKey.pem;
proxy_ssl_verify off;
}
问题:如何将正确的 headers 从 apache 转发到 nginx
我认为需要转发给 nginx 的有趣 headers apache 是“{OIDC_CLAIM_EIN}”
好吧,围绕理解做了一些 tshoot,部署了另一个临时设置以理解挖掘更多日志。
这里是目前理解的User Request -> Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Azure Returns URL到浏览器 -> 浏览器请求返回的URL
通过仔细查看日志,很清楚发生了什么, 更多关于这个帮助它理解它 more
调整 ngnix 以发送正确的 headers 端口和正确的主机后,
proxy_set_header X-Forwarded-Port "443";
proxy_set_header X-Forwarded-Host "forever-authcheck.tire1network.com";
这导致 apache 和 mod_auth_openidc 为 original_url 设置了正确的 cookie。
现在重定向工作正常,索赔到达 NGINX 和我们的应用程序。