Conditionally removing a proxy header

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Conditionally removing a proxy header

vergil
I'm trying to conditionally remove a proxy header but this doesn't appear to
be allowed using an "if". Ideally it would look something like this where
$external_traffic is either 0 or 1:

if ($external_traffic) {
        ...
        proxy_hide_header WWW-Authenticate; # Remove negotiate header
        ...
}

My workaround is to set up another site with proxy_hide_header set and do a
redirect to it inside the if instead but that seems messy.

if ($external_traffic) {
        ...
        rewrite ^ https://external.testdomain.com$request_uri break;
        ...
}

Is there a better way to do this?

Thanks,
Neil

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288015,288015#msg-288015

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Conditionally removing a proxy header

Francis Daly
Hi there,

I'm not certain why you want to do the specific example that you want
to do; but if I were doing the general "conditionally remove header"
thing, I would probably use "map" to set a new variable "$my_value"
based on your variable "$external_traffic".

If $external_traffic is 1, set $my_value to blank.

Otherwise, set $my_value to $upstream_http_www_authenticate.

And then always "proxy_hide_header WWW-Authenticate;" and
"add_header WWW-Authenticate $my_value always;"

If the value is blank, add_header does not write the header. And "always"
is because you probably only get the WWW-Authenticate on a 401 response.

http://nginx.org/r/map
http://nginx.org/r/$upstream_http_
http://nginx.org/r/add_header

(Note the standard caveats about directive inheritance, particularly
regarding add_header, if that applies in your config.)

Hope this helps!

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Conditionally removing a proxy header

vergil
Thanks so much Francis, yes that seems to be have worked.  When the
application is accessed outside our domain, it doesn't try to negotiate
which would pop up the Windows authentication prompt and would never work
anyways, but if the user is inside our domain either by being physically
inside the building or through a VPN, the negotiate header is there to allow
for automatic sign-in using their Windows credentials.

As you suggested I used a map:

map $external_traffic $negotiate {
    1 '';
    0 $upstream_http_www_authenticate;
}

Then inside the location block I removed and conditionally added the
WWW-Authenticate header:

proxy_hide_header WWW-Authenticate; # Remove negotiate header
add_header WWW-Authenticate $negotiate always; #Add negotiate header for
internal addresses

Thanks again!
Neil

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288015,288091#msg-288091

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Conditionally removing a proxy header

Francis Daly
On Thu, May 21, 2020 at 04:38:18PM -0400, eckern wrote:

Hi there,

> Thanks so much Francis, yes that seems to be have worked.

Great that you have a config that works for you; and thanks for sharing
the confirmed config with the list -- that will almost certainly help
the next person with the same issue :-)

> application is accessed outside our domain, it doesn't try to negotiate
> which would pop up the Windows authentication prompt and would never work
> anyways,

Good point -- I was concerned that the browser might not like a 401
response with no WWW-Authenticate header; but it sounds like it works
well enough as-is.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx