3

I installed a server for Redmine, running with Nginx/Passenger. The server also hosts Gitlab and it goes well.

I put some kind of SSO plugin for Redmine (which I found and installed) and it needs an environment variable to be filled with the user name : this is where it is getting tricky. So far I can separately :

  • get the username from the X-Forwarded-User header
  • auto connect to Redmine passing the username as a constant value
  • auto connect to Redmine passing the right username as a constant value after testing the current forwarded value => that IS ugly and requires to do a test for each existing user

But I cannot directly set the username with the forwarded value, it looks like the $http_x_forwarded_user variable is not being evaluated...

Is there a neat solution ? My current Nginx/Passenger config : 


upstream gitlab-workhorse {
  server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

server {
  listen 0.0.0.0:80;
  listen [::]:80 ipv6only=on default_server;
  server_name server.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice

  root /opt/gitlab/embedded/service/gitlab-rails/public;

  location / {
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://gitlab-workhorse;
    access_log /var/log/nginx/gitlab_access.log;
    error_log /var/log/nginx/gitlab_error.log;
  }

  location ~ ^/redmine(/.*|$) {
        alias /opt/redmine/public$1;
        passenger_base_uri /redmine;
        passenger_app_root /opt/redmine;
        passenger_document_root /opt/redmine/public;
        passenger_enabled on;
        access_log /var/log/nginx/redmine_access.log;
        error_log /var/log/nginx/redmine_error.log;

        # returns "dave", who is the connected user => great !
        return 200 $http_x_forwarded_user;

        # connects on Redmine as Dave => marvelous !
        passenger_env_var REMOTE_USER dave;

        # working but ugly solution
        if ($http_x_forwarded_user = "dave") {
            passenger_env_var REMOTE_USER dave;
        }
        if ($http_x_forwarded_user = "john") {
            passenger_env_var REMOTE_USER john;
        }
#       ... and so on for every single user having an account...

        # fails : "user does not exist in database" => $http_x_forwarded_user not being evaluated ??
        passenger_env_var REMOTE_USER $http_x_forwarded_user;
    }
}
leguminator
  • 31
  • 3

1 Answers1

1

According to this bug report, this is currently broken:

passenger_env_var VAR $nginx_var; sets VAR to $nginx_var, not its value.

Possible workaround:

  • Drop passenger (but keep Nginx)
  • Setup redmine via uwsgi, which

aims at developing a full stack for building hosting services.

Application servers (for various programming languages and protocols), proxies, process managers and monitors are all implemented using a common api and a common configuration style.

Thanks to its pluggable architecture it can be extended to support more platforms and languages.

Currently, you can write plugins in C, C++ and Objective-C.

The “WSGI” part in the name is a tribute to the namesake Python standard, as it has been the first developed plugin for the project.

Versatility, performance, low-resource usage and reliability are the strengths of the project (and the only rules followed).

Using this myself in multiple production environments, highly recommend!

Community
  • 1
gxx
  • 5,483
  • 2
  • 21
  • 42
  • 1
    Thanks for pointing out the bug ! It seems like it will not be fixed shortly as it is labelled as 'enhancement' and was opened something like 18 months ago... This pushes me toward the workaround with uwsgi – leguminator Oct 05 '17 at 08:51