CODEWITHSUNDEEP
authenticationnginx
drew
drew

Reputation: 51

nginx auth_request to remote authentication script

I'm trying to setup a nginx reverse proxy in front of some internal servers with auth_request to protect them from unauthorized users. I have an authentication script running at 192.168.1.101/scripts/auth/user.php which is accessed inside of the /auth block. The problem is that I'd like to use a named location rather than matching URI so that there is no risk of URI collision with the internal service (which I don't control). The following works:

server {
listen 80;
server_name private.domain.com;

location /auth {
    proxy_pass http://192.168.1.101/scripts/auth/user.php;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;

}

location / {
    auth_request /auth;
    proxy_pass http://internal.domain.com;
}

}

I'd like to replace the /auth with @auth however when I do nginx throws an error during relad. I've read that the fix is the replace the proxy_pass inside of the auth location with just the IP address however when I do that the auth_request never makes it to the script. Any thoughts on the correct way to proceed with this configuration?

Upvotes: 0

Views: 1948

Answers (1)

Dmitry MiksIr
Dmitry MiksIr

Reputation: 4445

Due some nginx restrictions named locations can't be used for subrequest. You can prevent outside access of auth location with internal config option. Try this config:

location = /scripts/auth/user.php {
    internal;
    proxy_pass http://192.168.1.101;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

location / {
    auth_request /scripts/auth/user.php;
    proxy_pass http://internal.domain.com;
}

Upvotes: 2

Related Questions