Nginx 认证 iframe

huangapple go评论82阅读模式
英文:

Nginx authenticate iframe

问题

我正在服务器上运行一个Django应用程序,同时在另一台服务器上使用Nginx作为反向代理来运行Grafana(Grafana和Nginx位于同一台服务器上)。

我能够通过我的后端重定向传入的URL并进行身份验证,但是即使我的Django应用程序发送了200响应,我仍然被重定向到Grafana登录界面。

我的设置如下:

  1. 我有一个在https下运行的Grafana服务器,使用Nginx代理。Nginx设置如下:
server {
    server_name  grafana.myserver.com;
     
    location / {
        proxy_set_header Host $host;
        proxy_pass           http://localhost:3000/;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location ~ ^/iframe(.*)$ {
      auth_request /iframe-auth;
      set $iframe_url http://localhost:3000$1$is_args$args;
        proxy_pass $iframe_url;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization $http_authorization;
    }

    location = /iframe-auth {
        internal;
        proxy_pass https://blub.de/auth/check/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }
}

在上面的配置中,我使用了Nginx的auth模块来将来自iframe的传入URL重定向到我的Django后端服务器。在这里,我进行了身份验证,一切正常。我通过打印URL来测试了这一点,并且如果通过身份验证,我会返回200响应。

好的,很好。我期望现在我的iframe会显示在我的网站上。但是不是这样,反而我被重定向到Grafana登录界面。

Nginx能够实现我想要的吗?

我的grafana.ini配置是标准的,我没有做太多更改,但我将auth.proxy设置为启用:

#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
;header_name = X-WEBAUTH-USER
;header_property = username
auto_sign_up = true
;sync_ttl = 60
;whitelist = XXX, XXX
;headers = Email:X-User-Email, Name:X-User-Name
# 非ASCII字符串在标头值中使用引用打印编码进行编码
;headers_encoded = false
# 阅读auth代理文档以了解下面的设置启用的详细信息
;enable_login_token = false

感谢您的帮助。提前感谢。

英文:

I am running a django app on a server and i am running grafana on a different server with nginx as a reverse proxy (grafana and nginx are on the same server).

I can manage to redirect an incoming URL and authenticate it via my backend, but I still get redirected to the grafana login screen, even when my django app sends a 200 response

My setup:

  1. I am having a grafana server running under https with a nginx proxy. The nginx-setup
server {
    server_name  grafana.myserver.com;
     
    location / {
        proxy_set_header Host $host;
        proxy_pass           http://localhost:3000/;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location ~ ^/iframe(.*)$ {
      auth_request /iframe-auth;
      set $iframe_url http://localhost:3000$1$is_args$args;
        proxy_pass $iframe_url;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization $http_authorization;
    }

    location = /iframe-auth {
        internal;
        proxy_pass https://blub.de/auth/check/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }

}

In the above I am using the nginx auth module to redirect the incoming URL from the iframe the my django backend server. Here I do the authentication which works fine. I tested this by printing out the URL and I am authenticating the user and I am returning a 200 response if authenticated.

Ok cool. I expected now that my iframe would show on my website. But no, it does not. Instead I get a redirect to the grafana login screen.

Can nginx even do what I want?

My grafana.ini config is standard, I did not change much, but I set the auth.proxy to enabled:

#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
;header_name = X-WEBAUTH-USER
;header_property = username
auto_sign_up = true
;sync_ttl = 60
;whitelist = XXX, XXX
;headers = Email:X-User-Email, Name:X-User-Name
# Non-ASCII strings in header values are encoded using quoted-printable encoding
;headers_encoded = false
# Read the auth proxy docs for details on what the setting below enables
;enable_login_token = false

Any help is appreciated. Thanks in advance

答案1

得分: 1

我在 "Grafana文档 / 设置 / 配置安全 / 配置身份验证 / 身份验证代理" 中阅读到:

# HTTP头部名称,其中将包含用户名或电子邮件
header_name = X-WEBAUTH-USER

换句话说,为了使Grafana的身份验证代理功能正常工作,它需要在特定的头部中看到用户名。该头部由grafana.ini文件中的header_name定义。

但在您的情况下,在您的grafana.ini文件中,该header_name是被注释掉的。此外,您的Nginx配置中也没有header_name的设置。因此,很可能Grafana不知道要查找用户名的位置... 这导致它重定向到登录屏幕。

尝试将header_name添加回grafana.ini,并将其设置为X-WEBAUTH-USER或您选择的任何标题名称。可以参考 "Django和Grafana上的单一登录身份验证" 作为示例。

然后,在您的Nginx配置中(在/iframe位置块中),您需要使用proxy_set_header设置此头部,并将其传递给Grafana。您的Django应用程序应在成功验证后返回此头部,Nginx应捕获并传递它。

server {
    server_name  grafana.myserver.com;
     
    location / {
        proxy_set_header Host $host;
        proxy_pass           http://localhost:3000/;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location ~ ^/iframe(.*)$ {
      auth_request /iframe-auth;
      set $iframe_url http://localhost:3000$1$is_args$args;
        proxy_pass $iframe_url;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization $http_authorization;
        proxy_set_header X-WEBAUTH-USER $http_x_webauth_user;
    }

    location = /iframe-auth {
        internal;
        proxy_pass https://blub.de/auth/check/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }

}

如果实际的头部名称和身份验证请求中的值不同,请替换X-WEBAUTH-USER$http_x_webauth_user

proxy_set_header X-WEBAUTH-USER $http_x_webauth_user; 行告诉Nginx从传入的请求中获取X-WEBAUTH-USER头部,并将其传递给Grafana。

请确保您的Django应用程序在成功验证后返回带有用户名的此头部。可以参考上面已经提到的 "Django和Grafana上的单一登录身份验证" 中提到的Django视图。

英文:

I read in the "Grafana documentation / Set up / Configure security / Configure authentication / Auth proxy"

# HTTP Header name that will contain the username or email
header_name = X-WEBAUTH-USER

In other words, for Grafana's auth proxy feature to work, it expects to see a specific header with the username in it. That header is defined by the header_name in the grafana.ini file.

But in your case, that header_name is commented out in your grafana.ini file. Also, there is no setting for header_name in your Nginx configuration. So, it is likely Grafana does not know where to look for the username... which makes it redirect to the login screen.

Try and add header_name back to the grafana.ini and set it to something like X-WEBAUTH-USER or any header name of your choice. See "Single sign-on authentication on Django and Grafana" as an illustration.

Then, in your Nginx configuration (in the /iframe location block), you need to set this header with proxy_set_header and pass it along to Grafana. Your Django app should return this header after a successful authentication, and Nginx should pick it up and pass it along.

server {
    server_name  grafana.myserver.com;
     
    location / {
        proxy_set_header Host $host;
        proxy_pass           http://localhost:3000/;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location ~ ^/iframe(.*)$ {
      auth_request /iframe-auth;
      set $iframe_url http://localhost:3000$1$is_args$args;
        proxy_pass $iframe_url;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization $http_authorization;
        proxy_set_header X-WEBAUTH-USER $http_x_webauth_user;
    }

    location = /iframe-auth {
        internal;
        proxy_pass https://blub.de/auth/check/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }

}

You should replace X-WEBAUTH-USER and $http_x_webauth_user with the actual header name and value from the authenticated request if they are different.

The proxy_set_header X-WEBAUTH-USER $http_x_webauth_user; line tells Nginx to take the X-WEBAUTH-USER header from the incoming request and pass it along to Grafana.

Make sure that your Django app returns this header with the username after a successful authentication.
See for instance the Django view also mentioned in "Single sign-on authentication on Django and Grafana" (already mentioned above).

huangapple
  • 本文由 发表于 2023年7月12日 22:25:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76671637.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定