Strange issue with forwarding auth headers from apache to nginx - Non empty header(se_custid/ein) not found in the request to proceed

Question

On the setup describe below, Looks like apache is not able to forward required headers to nginx or nginx while forwarding initial request is not forwarding full URL but just relative path.

The idea here is to ensure request to application hosted on nginx are authenticated by Azure ADFS. for this to work apache is playing role of proxy for any auth requests. Apache is using mod_auth_openidc, and forwards unauthenticated request to Azure ADFS See below:

Nginx -> Apache:6000-> Azure ADFS -> Apache:6000 -> Nginx

While user gets authenticated correctly by the Azure ADFS , gets redirected back to Nginx:80 but the browser (due to app) displays strange error "Non empty header(se_custid/ein) not found in the request to proceed"

Two more error in apache log is :

[auth_openidc:error] [pid 26485] [client SERVERIP:35888] oidc_clean_expired_state_cookies: state has expired

No specific errors logged in nginx.

So the question here is how to forward correct headers from apache to nginx so the after authentication user is able to use the app correctly or is the below config enough or more settings are required?

apache config part

<Location /ourapp>
   AuthType openid-connect
   Require valid-user
</Location>

LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXX
OIDCRedirectURI https://forever-authcheck.tire1network.com:6000/ourapp 
OIDCCryptoPassphrase XXXXXXXXXXXX
OIDCScope "openid email profile"
#OIDCRemoteUserClaim email
OIDCProviderAuthorizationEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/authorize
OIDCProviderTokenEndpoint https://login.microsoftonline.com/XXXX_XXX-xxx-XXXXXX/oauth2/v2.0/token
#OIDCPKCEMethod S256

OIDCPassIDTokenAs claims
OIDCCookiePath /
OIDCCookieDomain forever-authcheck.tire1network.com
OIDCCookie APP-OIDC-SESSION
OIDCCookieHTTPOnly On
OIDCSessionInactivityTimeout 600
OIDCSessionMaxDuration 36006

<VirtualHost *:6000>

    ProxyPreserveHost On
    ErrorLog  /var/log/httpd/voidcerror.log
    LogLevel debug
    ServerName forever-authcheck.tire1network.com

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    
    ProxyPreserveHost On
    Header set ein %{OIDC_CLAIM_EIN}e
    ProxyPass /ourapp/ forever-authcheck.tire1network.com/in/
    ProxyPassReverse /ourapp/ forever-authcheck.tire1network.com/in/
    ProxyPreserveHost On
    ServerName  forever-authcheck.tire1network.com
    
    SSLEngine on
    SSLCertificateFile "/etc/pki/outcert/Certificate.pem"
    SSLCertificateKeyFile "/etc/pki/outcert/CertificateKey.pem"
    SSLCertificateChainFile "/etc/pki/outcert/CertificateChain.p12"
</VirtualHost>

nginx config parts

nginx:80


location /ourapp/ {
  proxy_ssl_server_name on;
  proxy_pass https://forever-authcheck.tire1network.com:6000;
  proxy_set_header se-journey "direct";
  proxy_set_header  Host $host;
  proxy_set_header  X-Real-IP $remote_addr;
  proxy_set_header  X-Forwarded-For $remote_addr;
  proxy_set_header  X-Forwarded-Host $remote_addr;
  proxy_redirect default;
  

  proxy_ssl_certificate     /etc/pki/outcert/Certificate.pem;
  proxy_ssl_certificate_key /etc/pki/outcert/CertificateKey.pem;
  proxy_ssl_verify       off;
}

Answer 1

alright did bit of tshoot around the understanding, deployed another temp setup to understand dig more logs.

Here is the current understanding User Request -> Nginx:443/ourapp -> Apache:6000-> Azure ADFS -> Azure Returns URL to browser -> Browser Requests the returned URL

By looking at the logs closely, it was clear what's happening, More over this one helped it to understand it more

After tweaking ngnix to send right headers with port and right Host,

proxy_set_header X-Forwarded-Port "443";

proxy_set_header X-Forwarded-Host "forever-authcheck.tire1network.com";

which resulted in right cookie settings for original_url, by apache and mod_auth_openidc.

Now the redirection works correctly, Claims are reaching to NGINX and to our App.