nginx代理身份验证拦截 [英] nginx proxy authentication intercept
问题描述
我有几个服务,他们站在一个nginx实例后面.为了处理身份验证,在nginx中,我拦截了每个请求并将其发送到身份验证服务.在那里,如果凭据正确,那么我将设置一个包含用户相关信息的cookie.
I have a couple of service and they stand behind an nginx instance. In order to handle authentication, in nginx, I am intercepting each request and sending it to the authentication service. There, if the credentials are are correct, I am setting a cookie which includes user related info.
现在应该将请求发送到具有Cookie的适当服务.
The request should now be routed to the appropriate service, with the cookie set.
这是我的Nginx配置:
Here is my nginx config:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
upstream xyz {
server ***;
}
upstream auth {
server ***;
}
server {
listen 8080;
location ~ ^/(abc|xyz)/api(/.*)?$ {
auth_request /auth-proxy;
set $query $2;
proxy_pass http://$1/api$query$is_args$args;
proxy_set_header X-Target $request_uri;
proxy_set_header Host $http_host;
}
location = /auth-proxy {
internal;
proxy_pass http://auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Target $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-CookieName "auth";
proxy_set_header Cookie "auth=$cookie_auth";
proxy_set_header Set-Cookie "auth=$cookie_auth";
proxy_cookie_path / "/; Secure; HttpOnly";
add_header Cookie "auth=$cookie_auth";
add_header Set-Cookie "auth=$cookie_auth";
}
}
如果我通过手动设置的x-target标头向/auth-proxy发送请求,则响应中将包含预期的cookie.
If I make a request to /auth-proxy with an x-target header set manually, the response contains the cookie as expected.
如果我向所需目标发出请求,该请求将被拦截,它会到达/auth-proxy,它正确设置了cookie.但是,当请求到达目标时,它不包含cookie.
If I make a request to the desired target, the request is intercepted, it reaches /auth-proxy which correctly sets the cookie. However, when the request reaches the target, it does not contain the cookie.
我认为nginx在执行目标请求时没有转发cookie.
I assume that nginx is not forwarding the cookie when doing the target request.
最近几天我一直在为此苦苦挣扎……我想念什么?
I've been struggling with this for the last couple of days... what am I missing?
谢谢!
推荐答案
我终于知道了.我使用 auth_request_set 从auth响应中读取cookie,然后在对调用方的响应和对目标的后续请求中手动设置它.
I've finally figured it out. I used auth_request_set to read the cookie from the auth response and I manually set it both on the response to the caller and on the subsequent request to the target.
因为如果是邪恶的,我已经在lua中添加了支票.
Because if is evil, I've added the check in lua.
server {
listen 8080;
location ~ ^/(abc|xyz)/api(/.*)?$ {
auth_request /auth-proxy;
# read the cookie from the auth response
auth_request_set $cookie $upstream_cookie_auth;
access_by_lua_block {
if not (ngx.var.cookie == nil or ngx.var.cookie == '') then
ngx.header['Set-Cookie'] = "auth=" .. ngx.var.cookie .. "; Path=/"
end
}
# add the cookie to the target request
proxy_set_header Cookie "auth=$cookie";
set $query $2;
proxy_pass http://$1/api$query$is_args$args;
proxy_set_header X-Target $request_uri;
proxy_set_header Host $http_host;
}
}
这篇关于nginx代理身份验证拦截的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!