尝试使用 auth_request 时,NGINX 陷入无限重定向循环

tag-icon tag-icon nginx reverse-proxy authentication proxypass
尝试使用 auth_request 时,NGINX 陷入无限重定向循环

nginx 版本:1.14.2

我正在尝试使用 nginx auth_request 来验证用户是否能够访问提供我无法影响的页面的子域。

我有一个基于 python + flask 的登录页面,如果用户登录则返回 200,如果用户未登录则返回 401。

我在 nginx 中配置了一个 proxy_pass 子域,如下所示:

server {
    listen 80;
    server_name sub.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sub.example.com;

    location / {
        auth_request /myauth;
        auth_request_set $auth_status $upstream_status;

        proxy_pass http://localhost:8001;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location = /myauth {
        proxy_pass https://login.example.com/;
        proxy_pass_request_body off; 

        proxy_set_header Content-Length "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    error_page 401 = @error401;
    location @error401 {
        return 302 https://login.example.com/login/?next=https://$http_host$request_uri ;
    }
}

登录页面的 nginx 配置如下:

server {
    listen                    80;
    server_name               login.example.com;
    return                    301 https://$server_name$request_uri;
}

server {
    listen                    443 ssl http2;
    server_name               login.example.com;
    client_max_body_size      128M;

    location / {
        include                  uwsgi_params;
        uwsgi_pass               unix:/srv/loginpage/loginpage.sock;
    }
}

我的访问日志如下所示:

[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161

调试日志可以在这里找到:https://gist.github.com/laundmo/c23345061940bbef59703d43e93a9ba0

登录系统可以正常工作,我可以登录并在 上获得 200 响应https://login.example.com/,如果我退出,我会被重定向到登录页面,即使sub.example.com在退出状态下访问也是如此。重定向回来似乎也可以正常工作。只是出于某种原因,一旦我被重定向回,sub.example.com我就会重定向到login.example.com,然后又将我重定向到sub.example.com等等...

编辑:如果这属于另一个 stackexchange 页面,请告诉我,我会删除它并将其移到那里

答案1

最终一切都变得如此简单

我尝试使用的 Flask 应用作为身份验证器,但并未跨子域存储会话

如果其他人尝试这样做,请确保包含 app.config["SESSION_COOKIE_DOMAIN"] = ".example.com" 以便 flask 知道跨子域存储会话

相关内容