2

Edit: If you have an idea on how to improve the question or which details are missing from it, please do leave a comment.

Expected Outcome:

I am trying to deploy nginx as a reverse proxy to let me expose files served by an Apache, without giving out the basic auth credentials that the Apache requires. My plan is to provide the basic auth credentials "statically" in the headers sent from the proxy to the Apache, so that the user can access the files without having (or seeing/knowing) the credentials.

Setup:

The Apache requires basic auth via https. The reverse proxy to be deployed is it itself proxied by an nginx that handles incoming traffic to the (docker)host. The (docker)host ingress nginx only listens on 443, traffic on/within the (docker)host is http.

So the setup is: 

https >> [dockerhost ingress nginx] >> http >> [nginx reverse proxy] >> https >> [apache file server (basic auth)]

I am using the latest nginx docker image, unmodified (just adding the conf). For the dockerhost ingress proxy I am using https://github.com/jwilder/nginx-proxy. The Apache is serving files from a Hetzner storage box. I can't see or change it's configuration, Hetzner says they can't help me as they're not officially supporting this kind of setup. Their last reply was:

Our Apache doesn't need any specific headers. All which is necessary, is a request via the correct hostname (because of SNI) and the correct credentials via SLL/HTTPS at port 443.

Problem:

Directly, without the nginx proxy, I can access the files on the Apache after passing the basic auth prompt in the browser or via curl.

When I try to access the files via the proxy and trying to pass the credentials "statically" as a header in the nginx configuration, I only get back 404s (from the Apache).

But I can (and this trips me up) access the files via the proxy when proxying without "static" basic auth and just providing my credentials at the prompt.

So it seems like it is passing the basic auth but can't access any files, which leaves me bamboozled.

What I tried:

My initial approach was to just roll with using the location block provided by @Shai here: How to use nginx to proxy to a host requiring authentication?

location / {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_pass http://6.6.6.6:80;
  proxy_set_header Authorization "Basic a2luZzppc25ha2Vk"; 
}

But this produces the behaviour described above. Since then I simply started to experiment with commenting out and adding different directives (e.g. those provided here: How to get nginx to pass HTTP_AUTHORIZATION header to Apache), but to no avail.

I am grateful for ANY pointers.

Cheers, Will

Wilhelm Uschtrin
  • 121
  • 1
  • 4
  • It *sounds* like nginx is passing the incoming Authorization header, maybe in addition to your static one? Which seems to fit something we're seeing as well, but which I haven't found explicit confirmation for yet: that the default behavior is to pass on the incoming Authorization header. – dbreaux Jul 26 '17 at 14:35

1 Answers1

-1

Try proxy using explicit credentials:

proxy_pass http://user:secret@6.6.6.6:80;
Canoas
  • 792
  • 5
  • 8
  • 4
    This does not work for several reasons: 1) the syntax should be http://user:secret@6.6.6.6:80; 2) nginx doesn't like having two colons in the proxy_pass. The first : is interpreted as a port separator and it throws an error – Luis Lobo Borobia Aug 02 '19 at 21:20
  • Thank you @LuisLoboBorobia. – Canoas Sep 24 '19 at 10:49