HTTP Basic Auth and set-xauthrequest

[adilinden]

Hi,

I have oauth2_proxy sitting in front of Cacti. Cacti support "web based authentication" where the webserver performs basic authentication and supplies the username to Cacti via the "Authentication" header.

In my particular configuration, I am using nginx as a reverse proxy, with authentication delegated to oauth2_proxy using the "ngx_http_auth_request_module" module in nginx.

Cacti complains about not being able to find lack of "Authentication" header and username not being passed to Cacti. Will oauth2_proxy provide the "Authentication" header for every request?

For oauth2_proxy I have "-pass-basic-auth" explicitly enable although docs state that default is "true". Here is my location block in nginx. Note that authentication is fine, just user isn't passed to Cacti.

    # Our cacti server
    location /cacti/ {
        access_log /var/log/nginx/proxy.log proxylog;

        # oauth2_proxy: Request authorization
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # oauth2_proxy: if you enabled -cookie-refresh, this is needed for
        #               it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $remote_addr;

        proxy_pass https://10.53.73.57:8443;
    }

One last note, if I force a static "Authentication" by setting within the location block all works fine. This would be a line such as:

proxy_set_header Authorization "Basic dXNlcjpwYXNzd29yZA==";

With the line provided, the username and password would be "user/password".

Thanks,
Adi

[ploxiln]

If you use oauth2_proxy in the original proxy mode, instead of the more flexible and complicated auth_request mode, then you can do this with the --pass-basic-auth flag. (The password put in the basic auth to the upstream can be set with the --basic-auth-password flag.)

You can get the username from auth_request but putting it into a basic auth header for the upstream is not easy. You may try to adapt from this part of the example at the bottom of the README:

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

[adilinden]

Right, only x_auth_request_user and x_auth_request_email work in auth_request mode as oauth2_proxy can only pass header back to nginx, not insert into the stream going to the client. Didn't think of it until you clarified.

I guess this leaves me with 3 options:

1. Modify the backend server to accept a definable HTTP header containing username instead of a basic auth line.
2. Modify oauth2_proxy to pass a header with base64 encoded username to nginx.
3. Figure out if nginx can base64 encode a string, after receiving it from outh2_proxy to add the new header.

[adilinden]

I guess I need to learn more about HTTP headers. Although my backend application states "Basic Web Authentication" it does not look only for the Authentication header, but also a number of others, such as REMOTE_USER. The information you provided will accomplish what I need by setting the REMOTE_USER header appropriately. I am already doing just that with another backend.

Interestingly enough, I didn't know that the RFC requires REMOTE_USER to be set to the user ID supplied when Basic Authentication is used. RFC 3875 - The Common Gateway Interface (CGI) Version 1.1 section 4.1.11.

I think that answers my question. Thank you so much for the quick and very helpful response!

[ploxiln]

I'm glad you got it working :)