Hello!
First of all let me say thanks to the creators of OpenResty, it seems a really neat product! That said, apologies in advance as I am fairly new to NginX and Openresty so please bear with me.
My situation is as follows:
I am using OpenResty as a reverse proxy sitting in front of a number of services. Some of these services have their own authentication systems built into them (things like Elastic Kibana for example). I have a centralised two-factor authentication server (PrivacyIdea) which is integrated with active directory. I am required to secure the reverse proxy with this two-factor authentication and have done this successfully through the use of OpenResty and the access_by_lua module. The lua script makes a request to the 2fa server with the user's one time password and this seems to work a treat.
My problem occurs when I am then required to log in to the service itself and I think what I am observing is the headers clashing. My understanding is that the initial authentication with the 2fa server is making use of the 'Authorization' header and I am sure at least one of the services sitting behind the reverse proxy also tries to use this same header. The symptom is the basic auth pop-up will keep re-appearing as I can't authenticate with the reverse proxy at the same time as the service (different credentials). An example error returned by kibana is:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [bparka] for REST request [/_xpack/security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" & 1=\"Bearer realm=\\\"security\\\"\" } } }"}
Now I don't see where I could force which headers are used by access_by_lua - it seems the pop-up just fills the Authorization header by default unless I'm missing something fundamental?
My scenario is almost identical to the one described in the below stackoverflow post:
https://stackoverflow.com/questions/10023636/http-spec-proxy-authorization-and-authorization-headers
In that, my immediate approach was to use a different set of headers for the initial authentication as to avoid any clashes down the line. Namely I would like to use: Proxy-Authenticate and Proxy-Authorization headers. The "single-hop" nature of these seems very useful to me. I tried playing around with using different location directives and clearing the Authorization header at different locations but with little luck.
Any guidance/tips/help will be much much appreciated!
I'm using OpenResty 1.13.6.2 installed on RedHat 7.5
The specific bit of my conf dealing with kibana for example is as follows:
server {
listen 443 ssl http2;
server_name test;
index index.html index.htm;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_read_timeout 300s;
proxy_pass "test-svc";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
set $privacyidea_realm 'testrealm';
set $privacyidea_uri "authenticate-endpoint";
set $privacyidea_http_realm "Secure zone (use PIN + OTP)";
access_by_lua_file '/usr/local/openresty/nginx/privacyidea-v2.lua';
}
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/p.crt;
ssl_certificate_key /etc/ssl/p.key;
}
Many thanks
