apachenginxheaderopenid-connectproxypass

headers from apache to nginx after authentication


I have Nginx server that sends request to Apache server for protected content, Apache inturn forwards to Azure ADFS, for Azure ADFS authentication with Apache mod_auth_openidc is used.

While Below works fine :

Apache:443/ourapp -> Apache:6000 -> Azure ADFS -> Apache:6000 -> Apache:443/ourapp

But as soon as nginx is introduced in the setup as below, Error in browser pops-up "Non empty header(se_custid/ein) not found in the request to proceed"

Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Apache:6000 -> Nginx:443/ourapp

Apache config:


<Location /ourapp>
   AuthType openid-connect
   Require valid-user
</Location>

LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXX
OIDCRedirectURI https://forever-authcheck.tire1network.com:6000/ourapp 
OIDCCryptoPassphrase XXXXXXXXXXXX
OIDCScope "openid email profile"
#OIDCRemoteUserClaim email
OIDCProviderAuthorizationEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/authorize
OIDCProviderTokenEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/token
#OIDCPKCEMethod S256

OIDCPassIDTokenAs claims
OIDCCookiePath /
OIDCCookieDomain forever-authcheck.tire1network.com
OIDCCookie APP-OIDC-SESSION
OIDCCookieHTTPOnly On
OIDCSessionInactivityTimeout 600
OIDCSessionMaxDuration 36006

<VirtualHost *:6000>

    ProxyPreserveHost On
    ErrorLog  /var/log/httpd/voidcerror.log
    LogLevel debug
    ServerName forever-authcheck.tire1network.com

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    
    ProxyPreserveHost On
    Header set ein %{OIDC_CLAIM_EIN}e
    ProxyPass /ourapp/ forever-authcheck.tire1network.com/in/
    ProxyPassReverse /ourapp/ forever-authcheck.tire1network.com/in/
    ProxyPreserveHost On
    ServerName  forever-authcheck.tire1network.com
    
    SSLEngine on
    SSLCertificateFile "/etc/pki/outcert/Certificate.pem"
    SSLCertificateKeyFile "/etc/pki/outcert/CertificateKey.pem"
    SSLCertificateChainFile "/etc/pki/outcert/CertificateChain.p12"
</VirtualHost>

Nginx config :


nginx:80


location /ourapp/ {
  proxy_ssl_server_name on;
  proxy_pass https://forever-authcheck.tire1network.com:6000;
  proxy_set_header se-journey "direct";
  proxy_set_header  Host $host;
  proxy_set_header  X-Real-IP $remote_addr;
  proxy_set_header  X-Forwarded-For $remote_addr;
  proxy_set_header  X-Forwarded-Host $remote_addr;
  proxy_redirect default;
  

  proxy_ssl_certificate     /etc/pki/outcert/Certificate.pem;
  proxy_ssl_certificate_key /etc/pki/outcert/CertificateKey.pem;
  proxy_ssl_verify       off;
}






Question : how to forward correct headers from apache to nginx

Interesting headers apache using which i think needs to be forwards to nginx are "{OIDC_CLAIM_EIN}"


Solution

  • alright did bit of tshoot around the understanding, deployed another temp setup to understand dig more logs.

    Here is the current understanding User Request -> Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Azure Returns URL to browser -> Browser Requests the returned URL

    By looking at the logs closely, it was clear what's happening, More over this one helped it to understand it more

    After tweaking ngnix to send right headers with port and right Host,

    proxy_set_header X-Forwarded-Port "443";

    proxy_set_header X-Forwarded-Host "forever-authcheck.tire1network.com";

    which resulted in right cookie settings for original_url, by apache and mod_auth_openidc.

    Now the redirection works correctly, Claims are reaching to NGINX and to our App.