nginx 版本:1.14.2
我正在尝试使用 nginx auth_request 来验证用户是否能够访问提供我无法影响的页面的子域。
我有一个基于 python + flask 的登录页面,如果用户登录则返回 200,如果用户未登录则返回 401。
我在 nginx 中配置了一个 proxy_pass 子域,如下所示:
server {
listen 80;
server_name sub.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name sub.example.com;
location / {
auth_request /myauth;
auth_request_set $auth_status $upstream_status;
proxy_pass http://localhost:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location = /myauth {
proxy_pass https://login.example.com/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 401 = @error401;
location @error401 {
return 302 https://login.example.com/login/?next=https://$http_host$request_uri ;
}
}
登录页面的 nginx 配置如下:
server {
listen 80;
server_name login.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name login.example.com;
client_max_body_size 128M;
location / {
include uwsgi_params;
uwsgi_pass unix:/srv/loginpage/loginpage.sock;
}
}
我的访问日志如下所示:
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
调试日志可以在这里找到:https://gist.github.com/laundmo/c23345061940bbef59703d43e93a9ba0
登录系统可以正常工作,我可以登录并在 上获得 200 响应https://login.example.com/
,如果我退出,我会被重定向到登录页面,即使sub.example.com
在退出状态下访问也是如此。重定向回来似乎也可以正常工作。只是出于某种原因,一旦我被重定向回,sub.example.com
我就会重定向到login.example.com
,然后又将我重定向到sub.example.com
等等...
编辑:如果这属于另一个 stackexchange 页面,请告诉我,我会删除它并将其移到那里
答案1
最终一切都变得如此简单
我尝试使用的 Flask 应用作为身份验证器,但并未跨子域存储会话
如果其他人尝试这样做,请确保包含
app.config["SESSION_COOKIE_DOMAIN"] = ".example.com"
以便 flask 知道跨子域存储会话