Nginx代理在基本身份验证不起作用后传递到S3

kmbjn2e3  于 2023-03-29  发布在  Nginx
关注(0)|答案(1)|浏览(144)

Nginx代理到S3 bucket

我有一个nginx代理通过Linode到S3桶。

配置正常

我的Nginx配置在基本auth被禁用时工作正常,就像这样。(现在请忽略一些配置是重复的,我这样做是因为我想在以后禁用/API和/images的auth_basic)。但是请自由回复,不要重复行。

location /api {
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
}

location /images {
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/images;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
}

location / {
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
}

此配置不起作用

location /api {
        auth_basic off; # ADDED THIS LINE
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ignore_headers    Authorization; # ADDED THIS LINE
        proxy_hide_header    Authorization; # ADDED THIS LINE
}

location /images {
        auth_basic off; # ADDED THIS LINE
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/images;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ignore_headers    Authorization; # ADDED THIS LINE
        proxy_hide_header    Authorization; # ADDED THIS LINE
}

location / {
        auth_basic           "Restricted Access"; # ADDED THIS LINE
        auth_basic_user_file {MY_PATH_HERE};  # ADDED THIS LINE
    
        proxy_http_version 1.1;
        proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ignore_headers    Authorization; # ADDED THIS LINE
        proxy_hide_header    Authorization; # ADDED THIS LINE
}

基本身份验证工作正常。我在访问/时要求输入密码,而在访问api/images/not要求输入密码。当没有通过基本身份验证时,我也从api/api.json获得了有效的响应。

问题是

问题是,当我通过基本身份验证(在每个端点上,我随后访问)登录时,我得到了一个400错误。不知何故,我认为附加的基本身份验证头被发送到S3,我试图禁用它:

proxy_ignore_headers    Authorization; 
proxy_hide_header    Authorization;

如上例所示。但这没有任何效果。

调试信息

从浏览器发送到nginx的头文件是(未启用基本身份验证):

:authority: mydomainhere
:method: GET
:path: /api/api.json
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: nl-NL,nl;q=0.8
cache-control: max-age=0
if-modified-since: Wed, 22 Mar 2023 13:18:15 GMT
if-none-match: "2bcd098e106ce6a7b9961217c965127c"
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
sec-gpc: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

从浏览器发送到nginx的头部是(WITHbasic auth enabled):

:authority: mydomainhere
:method: GET
:path: /api/api.json
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: nl-NL,nl;q=0.8
authorization: Basic somekeyhere
cache-control: max-age=0
if-modified-since: Wed, 22 Mar 2023 13:18:15 GMT
if-none-match: "2bcd098e106ce6a7b9961217c965127c"
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
sec-gpc: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

添加了这一行:

授权:Basic somekeyhere

结论及问题

我想实现人们在访问我的/网站时使用基本身份验证登录。我的网站是托管在Linode上的静态网站(S3上的对象存储)。我不希望文件夹/images//api使用基本身份验证保护。我如何使用NGINX实现这一点?并记住我上面尝试过的事情。

额外信息

我的域名服务器和域名通过cloudflare,我不认为Cloudflare与它有任何关系,但可以肯定的是,我提到了这一点。我有skipped从cloudflare的保护(子)域本身,因为它是由基本的身份验证保护。

ff29svar

ff29svar1#

我通过替换来解决它:

proxy_ignore_headers    Authorization; 
proxy_hide_header    Authorization;

用于:

proxy_set_header Authorization "";

相关问题