1

My task is to configure Kerberos authentication on nginx. The backend is django. The idea is that when a request is made to api, nginx should perform kerberos authentication. But in case the user is not in the domain, then a redirect to the /auth authorization page must occur, so that the user can authenticate under an account that is registered in django CMS.

Authentication of domain users is successful. But there is a problem with non-domain users. When you open a site page that makes an api call, a basic authentication window appears. I use the auth_gss_allow_basic_fallback off directive, but this does not help.

How can I disable this and configure redirection to /auth?

My configuration file (I do not specify settings such as gzip, headers, etc.):

server {

listen       80;
server_name  srv-01.example.com;

proxy_set_header remote-user $remote_user;

location / {
    root /opt/site/;
    try_files $uri $uri/ /index.html;
}

location /adminpanel {
    proxy_pass http://192.168.1.4:4567;
}
location /api {
    proxy_pass http://192.168.1.4:4567;

auth_gss on;
auth_gss_realm EXAMPLE.COM;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/srv-01.example.com;
auth_gss_allow_basic_fallback off;
}}

Thanks for the help!

user12844285
  • 11
  • 2

1 Answers1

0

I may be wrong, but I think API calls you make via AJAX will not have the authentication credentials attached. The browser will attach them for URL navigation only

I have a very similar setup and its working for me:

The default / handler points to the login dialog but /auto-login is under auth_gss

Note that nginx returns 401 if the user is not authenticated in the domain, so by redirecting 401 for this endpoint we can make the non-AD users get the login dialog.

The /auto-login handler just creates the django session cookie and redirects to / so the AD users are logged in directly:

location /auto-login {
  uwsgi_pass django;
  include /usr/lib/myapp/wsgi/uwsgi_params;
  auth_gss on;
  auth_gss_realm EXAMPLE.COM;
  auth_gss_service_name HTTP/example.com;
  auth_gss_allow_basic_fallback off;

  error_page 401 /;
}

if you use a heartbeat endpoint, you can add the same settings to it so that, if the creds are revoked by the admin the user gets kicked out ASAP.

location /heart-beat {
  uwsgi_pass django;
  include /usr/lib/myapp/wsgi/uwsgi_params;
  auth_gss on;
  auth_gss_realm EXAMPLE.COM;
  auth_gss_service_name HTTP/example.com;
  auth_gss_allow_basic_fallback off;
}
rep_movsd
  • 103
  • 3