Forum Discussion
NimbostratusHow to make nginx to connect to server through proxy with auth
In the current setup, nginx serves as a reverse proxy to proxy_pass to app listening on local host which inturn communicates to webserver(lets say one.server.com) after some processing on some locations and also proxy_pass directly to the webserver for other locations. The issue is when proxy comes into picture.
The app listening on localhost can be made to go through http proxy but for nginx, changing proxy_pass to go to proxy_ip:proxy_port didnt work because there was no way to set the authentication for proxy in nginx conf.
Nginx Config:
http {
server {
listen 443 ssl;
ssl_certificate /usr/local/etc/nginx/ssl/cert.pem;
ssl_certificate_key /usr/local/etc/nginx/ssl/cert.key;
proxy_set_header Host one.server.com;
location ~* /route_1 {
proxy_pass https://127.0.0.1:8080;
}
locations ~* /route_2 {
proxy_pass one.server.com;
}
}
}
Just wanted to check if nginx/nginx plus supports proxy out of the box or if there are any workarounds possible for the same. Thanks
2 Replies
- Nikoolayy1
MVP
You will need to tell the second proxy to trust the "X-Forwarded-User" header (some proxies like the header with name X-Authenticated-User) that nginx will and do the authentication on the nginx.
See $remote_user variable (""proxy_set_header X-Forwarded-User $remote_user; "" ):
See also:
Module ngx_http_auth_request_module
nginxinc/nginx-ldap-auth: Example of LDAP authentication using ngx_http_auth_request_module
Restricting Access with HTTP Basic Authentication | NGINX Documentation
Also nginx can extract the user name from client side ssl cert authentication.
server {
listen 443 ssl;
server_name yourdomain.com;ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;ssl_client_certificate /etc/nginx/ssl/ca.crt; # CA that issued client certificates
ssl_verify_client on; # Enforce client authenticationlocation / {
proxy_pass http://backend:8080; # Forward requests to backend
proxy_set_header X-SSL-Client-Cert $ssl_client_cert; # Send client certificate
proxy_set_header X-SSL-Client-Subject $ssl_client_s_dn; # Send client subject DN
proxy_set_header X-SSL-Client-Username $ssl_client_s_dn; # Example: Forward username
}
} 
vineshbgMy bad, the second proxy is user configured and could be any proxy. To rectify, my query was whether nginx can be made to use a http proxy to reach the proxy pass server and the http proxy is user configured and cannot understand custom headers we pass in the requests like X-Forwarded-User etc.
