I have Nginx server that sends request to Apache server for protected content, Apache inturn forwards to Azure ADFS, for Azure ADFS authentication with Apache mod_auth_openidc is used.
While Below works fine :
Apache:443/ourapp -> Apache:6000 -> Azure ADFS -> Apache:6000 -> Apache:443/ourapp
But as soon as nginx is introduced in the setup as below, Error in browser pops-up "Non empty header(se_custid/ein) not found in the request to proceed"
Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Apache:6000 -> Nginx:443/ourapp
Apache config:
<Location /ourapp>
AuthType openid-connect
Require valid-user
</Location>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXX
OIDCRedirectURI https://forever-authcheck.tire1network.com:6000/ourapp
OIDCCryptoPassphrase XXXXXXXXXXXX
OIDCScope "openid email profile"
#OIDCRemoteUserClaim email
OIDCProviderAuthorizationEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/authorize
OIDCProviderTokenEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/token
#OIDCPKCEMethod S256
OIDCPassIDTokenAs claims
OIDCCookiePath /
OIDCCookieDomain forever-authcheck.tire1network.com
OIDCCookie APP-OIDC-SESSION
OIDCCookieHTTPOnly On
OIDCSessionInactivityTimeout 600
OIDCSessionMaxDuration 36006
<VirtualHost *:6000>
ProxyPreserveHost On
ErrorLog /var/log/httpd/voidcerror.log
LogLevel debug
ServerName forever-authcheck.tire1network.com
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
ProxyPreserveHost On
Header set ein %{OIDC_CLAIM_EIN}e
ProxyPass /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPassReverse /ourapp/ forever-authcheck.tire1network.com/in/
ProxyPreserveHost On
ServerName forever-authcheck.tire1network.com
SSLEngine on
SSLCertificateFile "/etc/pki/outcert/Certificate.pem"
SSLCertificateKeyFile "/etc/pki/outcert/CertificateKey.pem"
SSLCertificateChainFile "/etc/pki/outcert/CertificateChain.p12"
</VirtualHost>
Nginx config :
nginx:80
location /ourapp/ {
proxy_ssl_server_name on;
proxy_pass https://forever-authcheck.tire1network.com:6000;
proxy_set_header se-journey "direct";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_redirect default;
proxy_ssl_certificate /etc/pki/outcert/Certificate.pem;
proxy_ssl_certificate_key /etc/pki/outcert/CertificateKey.pem;
proxy_ssl_verify off;
}
Question : how to forward correct headers from apache to nginx
Interesting headers apache using which i think needs to be forwards to nginx are "{OIDC_CLAIM_EIN}"
alright did bit of tshoot around the understanding, deployed another temp setup to understand dig more logs.
Here is the current understanding User Request -> Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Azure Returns URL to browser -> Browser Requests the returned URL
By looking at the logs closely, it was clear what's happening, More over this one helped it to understand it more
After tweaking ngnix to send right headers with port and right Host,
proxy_set_header X-Forwarded-Port "443";
proxy_set_header X-Forwarded-Host "forever-authcheck.tire1network.com";
which resulted in right cookie settings for original_url, by apache and mod_auth_openidc.
Now the redirection works correctly, Claims are reaching to NGINX and to our App.