nginx proxy authentication intercept

authentication cookies nginx proxy interception
Horia Radu picture Horia Radu · Nov 6, 2016 · Viewed 7.1k times · Source

I have a couple of service and they stand behind an nginx instance. In order to handle authentication, in nginx, I am intercepting each request and sending it to the authentication service. There, if the credentials are are correct, I am setting a cookie which includes user related info.

The request should now be routed to the appropriate service, with the cookie set.

Here is my nginx config:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  upstream xyz {
    server ***;
  }

  upstream auth {
    server ***;
  }

  server {
   listen       8080;
   location ~ ^/(abc|xyz)/api(/.*)?$ {
     auth_request /auth-proxy;

     set $query $2;

     proxy_pass http://$1/api$query$is_args$args;
     proxy_set_header X-Target $request_uri;
     proxy_set_header Host $http_host;
   }

   location = /auth-proxy {
    internal;
    proxy_pass http://auth;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Target $request_uri;
    proxy_set_header Host $http_host;
    proxy_set_header X-CookieName "auth";
    proxy_set_header Cookie "auth=$cookie_auth";
    proxy_set_header Set-Cookie "auth=$cookie_auth";
    proxy_cookie_path / "/; Secure; HttpOnly";
    add_header Cookie "auth=$cookie_auth";
    add_header Set-Cookie "auth=$cookie_auth";
  }
}

If I make a request to /auth-proxy with an x-target header set manually, the response contains the cookie as expected.

If I make a request to the desired target, the request is intercepted, it reaches /auth-proxy which correctly sets the cookie. However, when the request reaches the target, it does not contain the cookie.

I assume that nginx is not forwarding the cookie when doing the target request.

I've been struggling with this for the last couple of days... what am I missing?

Thanks!

Answer

Horia Radu picture Horia Radu · Nov 7, 2016

I've finally figured it out. I used auth_request_set to read the cookie from the auth response and I manually set it both on the response to the caller and on the subsequent request to the target.

Because if is evil, I've added the check in lua.

server {
  listen       8080;
  location ~ ^/(abc|xyz)/api(/.*)?$ {
    auth_request /auth-proxy;

    # read the cookie from the auth response
    auth_request_set $cookie $upstream_cookie_auth;
    access_by_lua_block {
      if not (ngx.var.cookie == nil or ngx.var.cookie == '') then
        ngx.header['Set-Cookie'] = "auth=" .. ngx.var.cookie .. "; Path=/"
      end
    }
    # add the cookie to the target request
    proxy_set_header Cookie "auth=$cookie";

    set $query $2;

    proxy_pass http://$1/api$query$is_args$args;
    proxy_set_header X-Target $request_uri;
    proxy_set_header Host $http_host;
  }
}

Related questions

Very simple authentication using one-time cookie on nginx

I have a site intended only for private consumption by 3 coders. It's simple HTML served by nginx directly but intended for consumption inside and outside the office. I want to have a simple password or authentication scheme. I could use …

Read More
How to use Python to login to a webpage and retrieve cookies for later usage?

I want to download and parse webpage using python, but to access it I need a couple of cookies set. Therefore I need to login over https to the webpage first. The login moment involves sending two POST params (username, …

Read More
How does cookie based authentication work?

Can someone give me a step by step description of how cookie based authentication works? I've never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what …

Read More