I am following the instructions at https://developers.shopware.com/blog/2015/03/02/sso-with-nginx-authrequest-module/ to protect some proxied web apps using Nginx's auth_request module.
I have the following lines in my server section. For every request that comes in, nginx will issue an authorization request to the auth server (auth.example.com).
auth_request /auth.php;
location = /auth.php {
internal;
proxy_pass https://auth.mydomain.com;
}
The authorization server is my own. I've written a PHP script that simply checks for the existence of the PHPSESSID cookie and checks for the $_SESSION['username'] value that was set when the user originally authenticated.
However, because the reverse proxy is an internal one, the user's PHPSESSID cookie isn't being passed along to the authorization server.
How can I copy the PHPSESSID cookie from the original request to the internal authorization request?
Troubleshooting attempts
This is my auth.php script. It uses two different 4xx status codes for debugging purposes.
<?php
if (! isset($_COOKIE['PHPSESSID'])) {
http_response_code(403); # No cookie
exit;
}
session_start();
# Check to see if the session username is set
if (! isset($_SESSION['username'])) {
http_response_code(401); # Unauthorized
exit;
}
else {
echo "OK " . $_SESSION['username'];
}
?>
I am pretty sure the cookie isn't being passed along because when I go to the authorization URL in my browser (https://auth.mydomain.com/auth.php), I get a 200 status code. My script returns 403 if the cookie isn't present. According to the Nginx logs, that's what it's getting back.
I have also tried the following location configuration, with no success. This one doesn't use an internal request, but is a regular proxy_pass.
location = /auth.php {
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_pass https://auth.mydomain.com;
}
0 Answers