Hello,
I'm using a backend authentication which provides SPNEGO Authentication behind a Nginx proxy.
It seems that the client SPNEGO token is generated from the hostname, so my users cannot use the spnego negotiation correctly with this configuration:
server {
listen 443;
location / {
satisfy all;
auth_request /auth;
auth_request_set $saved_www_authenticate $upstream_http_www_authenticate;
add_header WWW-Authenticate $saved_www_authenticate;
proxy_pass https://myprotectedsite;
}
location /auth {
internal;
proxy_pass http://myauthbackend;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
The backend is correctly getting the headers WWW-Authenticate with the token but obviously it is not proper and do not pass the authentication. Is there a way to modifying the right headers to instruct the client that the backend is not the proxy but itself ?
Best regards
I'm using a backend authentication which provides SPNEGO Authentication behind a Nginx proxy.
It seems that the client SPNEGO token is generated from the hostname, so my users cannot use the spnego negotiation correctly with this configuration:
server {
listen 443;
location / {
satisfy all;
auth_request /auth;
auth_request_set $saved_www_authenticate $upstream_http_www_authenticate;
add_header WWW-Authenticate $saved_www_authenticate;
proxy_pass https://myprotectedsite;
}
location /auth {
internal;
proxy_pass http://myauthbackend;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
The backend is correctly getting the headers WWW-Authenticate with the token but obviously it is not proper and do not pass the authentication. Is there a way to modifying the right headers to instruct the client that the backend is not the proxy but itself ?
Best regards