On Jan 20, 2008 11:34 PM, Eden Li <<a href="mailto:eden@mojiti.com">eden@mojiti.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
if i understand correctly, you need to terminate the "local backend"<br>request at nginx before passing back data to the client.<br><br> 1. end user asks for protected content from nginx<br> 2. nginx asks for auth token from "local backend"
<br> 3. nginx proxies the rest of the connection from (1) attaching the<br>auth token from (2) to the request.<br><br>you probably need more than nginx for this. you might be able to<br>shove step (2) into an embedded perl module, but most likely you'll
<br>need to do this in an fcgi handler or somesuch.<br><div><div></div><div class="Wj3C7c"></div></div></blockquote><div><br>Eden, yes, you have it correct.<br><br>The fundamental problem here is around passing the auth token header to the remote proxy.
<br>It appears that when using X-Accel-Redirect, nginx will not pass headers generated by the backend through to the redirect target.<br><br>Igor, do I have this right?<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div class="Wj3C7c"><br>On Jan 21, 2008 10:54 AM, Brendan Schwartz <<a href="mailto:bschwartz@tropist.com">bschwartz@tropist.com</a>> wrote:<br>><br>> On Jan 20, 2008 4:07 PM, Manlio Perillo <<a href="mailto:manlio_perillo@libero.it">
manlio_perillo@libero.it</a>> wrote:<br>> > Brendan Schwartz ha scritto:<br>> ><br>> > > On Dec 29, 2007 5:48 PM, Evan Miller <<a href="mailto:emmiller@gmail.com">emmiller@gmail.com</a>> wrote:
<br>> > >> Brendan Schwartz wrote:<br>> > >>> Is there a way to get Nginx to send nonstandard response headers (e.g.<br>> > >>> "User-Header"); it looks like they're being filtered.
<br>> > >>><br>> > >>> Thanks,<br>> > >>> Brendan<br>> > >> Check out the proxy_pass_header directive.<br>> > >><br>> > >> <a href="http://wiki.codemongers.com/NginxHttpProxyModule#proxy_pass_header" target="_blank">
http://wiki.codemongers.com/NginxHttpProxyModule#proxy_pass_header</a><br>> > >><br>> > >> Evan<br>> > >><br>> > ><br>> > > This doesn't seem to be working for me. Here's an example of what I'm
<br>> > > trying to accomplish:<br>> > ><br>> > > I have a local backend that returns a response that includes<br>> > > X-Accel-Redirect, Authorization, and Some-Other-Header headers among
<br>> > > others.<br>> > > And I have a /remote-proxy location whose job it is to proxy the<br>> > > X-Accel-Redirect to a remote server.<br>> > > See example configuration below.<br>> > >
<br>> > > I would like the proxy-pass request to the remote server to include<br>> > > the Authorization and Some-Other-Header headers that were returned in<br>> > > the local backend upstream response.
<br>> > ><br>> > > I've tried to use the proxy_pass_header directive, but haven't had<br>> > > much luck as my "custom" headers aren't being passed to the remote<br>> > > proxy server.
<br>> > ><br>> > > Am I using these directives correctly? Is what I'm trying to do impossible?<br>> > ><br>> > > Thanks,<br>> > > Brendan<br>> > ><br>> > >
<br>> > > ---------------------------------------------------------------------<br>> > > server {<br>> > ><br>> > > # standard config ...<br>> > ><br>> > > location /remote-proxy/ {
<br>> > > internal;<br>> > ><br>> > > proxy_set_header X-Real-IP $remote_addr;<br>> > ><br>> > > # needed for HTTPS<br>> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<br>> > > proxy_set_header Host <a href="http://remote.server.com" target="_blank">remote.server.com</a>;<br>> > > proxy_redirect false;<br>> > > proxy_max_temp_file_size 0;<br>
> > ><br>> > > rewrite ^/remote-proxy/(.*)$ /$1 break;<br>> > > proxy_pass <a href="https://remote.server.com" target="_blank">https://remote.server.com</a>;<br>> ><br>> > Here, instead of using a rewrite, try with
<br>> ><br>> > proxy_pass <a href="https://remote.server.com/remote-proxy/" target="_blank">https://remote.server.com/remote-proxy/</a><br>> ><br>> ><br>> > > }<br>> > >
<br>> > > location / {<br>> > ><br>> > > proxy_set_header X-Real-IP $remote_addr;<br>> > ><br>> > > # needed for HTTPS<br>> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<br>> > > proxy_set_header Host $http_host;<br>> > > proxy_redirect false;<br>> > > proxy_max_temp_file_size 0;<br>> > ><br>> > > proxy_pass_header Authorization;
<br>> > > proxy_pass_header Some-Other-Header;<br>> > ><br>> > > proxy_pass <a href="http://local_backend_upstream" target="_blank">http://local_backend_upstream</a>;<br>> > >
<br>> > > }<br>> > > }<br>> > ><br>> ><br>> ><br>> > I'm not sure to understand what you are trying to do.<br>> > But try with:<br>> ><br>> > set $authorization upstream_http_authorization;
<br>> > set $some_other upstream_http_some_other_header;<br>> ><br>> > in the / location<br>> ><br>> > and:<br>> ><br>> > proxy_set_header Authorization $authorization;
<br>> > proxy_set_header Some-Other-Header $some_other;<br>> ><br>> > in the remote-proxy location<br>> ><br>> ><br>> > However I'm rather sure that this will not work :).<br>
> ><br>> ><br>> > Manlio Perillo<br>> ><br>> ><br>><br>> Manlio,<br>><br>> Unfortunately this doesn't seem to work. "set $authorization<br>> upstream_http_authorization;" sets the $authorization variable to the
<br>> string "upstream_http_authorization". If I change the line to "set<br>> $authorization $upstream_http_authorization;", it doesn't work either.<br>> I think that's because in Location / the Authorization header isn't
<br>> set yet -- it's set by the local backend.<br>><br>> I'm trying to use nginx as a proxy for a remote server. But in order<br>> to access the content on the remote server, I need to pass an<br>> Authorization header to it. The local backend is able to produce valid
<br>> authorization tokens.<br>><br>> So here's what I want to happen: the local backend produces an<br>> Authorization header which is then passed to the remote server<br>> backend. The remote server accepts the authorized request and returns
<br>> the protect content to nginx which passes it on to the end user.<br>><br>> Does this make sense?<br>><br>> Thanks,<br>> Brendan<br>><br>><br><br></div></div></blockquote></div>