Quantcast

Nginx - API Gateway is not forwarding the request to Auth Service

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Nginx - API Gateway is not forwarding the request to Auth Service

t.nishiyori
Hi,

I am trying to implement the NGINX API gateway in nginx 1.10.3 community
version. I am facing the issue that NGINX is not forwarding the request to
authentication service. nginx configuration is pasted at the end of this
thread.

I have written authentication service which is listening for login requests
on /login.
My protected application has no login page and responds with 401 status if
its tried to be accessed without login in authentication service.

Now according to the nginx auth_request module, if the protected applicaiton
throws 401 status then NGINX forwards the request to authentication service
for login and after successful login the request is forwarded back to the
backend server.
BUT, this is not happening for my configuration. When I try to access my
nginx application it is not forwarding the request to auth service. I have
verified this by looking at the response headers which has the custom
sessionid name of protected application only.

I have checked my installation and it shows that
--with-http_auth_request_module is compiled in my installation

NGINX Configuraiton :


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

# proxy_intercept_errors on;
       
    server {
        listen       8180;

                location /{
                        auth_request /login;
                        proxy_pass http://adi-backend;
                }

                location /api {
                        auth_request /login;
                        proxy_pass http://adi-backend;
                }

                location = /login {
                   proxy_pass http://localhost:8080/login;
                   proxy_pass_request_body off;
                   proxy_set_header Content-Length "";
                   proxy_set_header X-Original-URI $request_uri;
                }
                       
                error_page   500 502 503 504  /50x.html;
                        location = /50x.html {
                        root   html;
                }
        }

        upstream adi-backend {
                server localhost:8280;
    }
               
        upstream authserv {
                 server localhost:8380;
    }

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273515#msg-273515

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

Maxim Dounin
Hello!

On Mon, Apr 10, 2017 at 04:42:25AM -0400, zaidahmd wrote:

> I am trying to implement the NGINX API gateway in nginx 1.10.3 community
> version. I am facing the issue that NGINX is not forwarding the request to
> authentication service. nginx configuration is pasted at the end of this
> thread.
>
> I have written authentication service which is listening for login requests
> on /login.
> My protected application has no login page and responds with 401 status if
> its tried to be accessed without login in authentication service.
>
> Now according to the nginx auth_request module, if the protected applicaiton
> throws 401 status then NGINX forwards the request to authentication service
> for login and after successful login the request is forwarded back to the
> backend server.

You misunderstood what auth_request does.  Instead, it issues a
subrequest for every incoming request, and allows further
processing of the request if and only if the subrequest returns
200.  No attempts are made to look into the response returned for
the original request, that is, "protected application".

Quoting the documentation,
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html:

: The ngx_http_auth_request_module module (1.5.4+) implements
: client authorization based on the result of a subrequest.
: If the subrequest returns a 2xx response code, the access is
: allowed. If it returns 401 or 403, the access is denied with the
: corresponding error code. Any other response code returned by the
: subrequest is considered an error.

That is, the only thing which is expected to happen in your
configuration is a subrequest to "/login" for every request.  If
this subrequest returns 200, access will be allowed for the
original request.  If it returns anything else, access will be
denied.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

t.nishiyori
Hi Maxim,

Thanks for the response.

As you said below,

> Instead, it issues a
> subrequest for every incoming request, and allows further
> processing of the request if and only if the subrequest returns
> 200.

This means my authentication service will be getting a subrequest to /login
everytime a request reaches nginx. And if the subrequest returns 401 then it
means the user needs to login. So kindly help me that how can I show a login
page if a subrequest throws 401 ? My authentication service is sending a
redirect in response alongwith the 401 status?

When I access my authentication service directly from browser without a
logged-in session id, my browser is getting a 401 with redirect to /login
which is login page. I want this same behaviour in my NGINX API gateway i.e.
NGINX sends each request to API gateway if the request needs to be logged in
a login page should be shown otherwise let the request access the resource.
And I followed the nginx auth_request user guide to configure this as I
showed my config in first thread.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273523#msg-273523

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

t.nishiyori
Hi maxim,

After implementing your valuable inputs I came across the following error in
my application.
Error: "Request 'GET /login' doesn't match 'POST /login"

  this means that nginx is sending GET requests to authentication service.

So the flow is as follows and is according to your valuable feedback.

1. I typed the nginx URL in browser "http://localhost:8180/api"
2. NGINX forwarded the request to "http://localhost:8080/login"
3. I get the above error in my auth service i.e "Request 'GET /login'
doesn't match 'POST /login"

This forwarded request to auth service should be a POST login

Alternatively,
if I type "http://localhost:8180/login", which is also a NGINX location, I
am able to see login page of my auth service.

I want the same for other nginx locaitons i.e. if the request is not
authenticated show login page of auth service. get the user authenticated
and then forward the requests to upstream server.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273524#msg-273524

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

Francis Daly
In reply to this post by t.nishiyori
On Tue, Apr 11, 2017 at 02:04:32AM -0400, zaidahmd wrote:

Hi there,

> This means my authentication service will be getting a subrequest to /login
> everytime a request reaches nginx. And if the subrequest returns 401 then it
> means the user needs to login.

I'm not sure what your system design is, but it sounds like it may not
match the nginx auth_request design.

If your application does its own authentication, then you possibly do
not need nginx auth_request at all.

Do things work for you if the nginx side is just "proxy_pass"?

And, out of interest, which nginx auth_request user guide did you use
for inspiration? It may be that that document can be improved for the
next person.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

t.nishiyori
Hi Francis,

Thanks for your interest. I would certainly like to contribute for the
future implementers of NGINX reverse proxy with API gateway functionality.
Below I will explain my application with NGINX configuration I have
performed and the code snippets/references for future users. If you like I
can share my working sample application also as starter guide for custom
java authentication gateway.

Secondly, I am able to complete my configuraiton successfully and got it
working and now in testing and expanding the functionality.

1. I have two Java applications written in Spring MVC framework. Both
applications are as follows
           a. Secure Gateway
           b. Protected Application(s)
2. Client sends a request to nginx to access protected resource.
http://nginx-server/employee

3. Nginx intercepts the request and first, sends the request to "Secure
Gateway" for authentication. http://secure-gw/authenticate
**************************************************************************
                location /api {
                        auth_request /authenticate;
                        proxy_pass http://protected;
                }

                location = /authenticate {
                        proxy_pass http://secure-gw;
                }
***************************************************************************

4. If the user is NOT a logged in user "Secure Gateway" throws a 401
exception. Otherwise 200 ok is sent as a response and NGINX forwards the
request to "Protected Application" which returns the "employee"
resource/page.

5. NGINX is configured to capture the error "401" and redirect the request
to login page of SecureGateway using a location configured to cater 401
responses.
***************************************************************************
                location =/authfull {
                        proxy_pass http://secure-gw/authenticate;
                        proxy_pass_request_body off;
                        proxy_set_header Content-Length "";
                        proxy_set_header X-Original-URI $request_uri;
                }

                error_page   401 authfull;
***************************************************************************

6. User inputs the credential into login page and submits the request to
NGINX's location "/authenticate" using URL
"http://nginx-server/authenticate".

7. "/authenticate" location is configured to forward the requests to "Secure
Gateway" application without removing the request body i.e. carries the
username and password from the form login page.

8(a)**. After successful login a token or session-id is generated and is
stored in a common session store which is also accessible to the "Protected
Application".
8(b)**. After successful login in "Secure Gateway" the secure gateway
application sends an internal login request to "Protected Application" and
gets the cookie response. Secure Gateway places two sessionIds(with
different name) in response cookies and sends the response back to NGINX
with HTTP 200 OK status.

9. NGINX forwards the authenticated/authorized requests to the "Protected
Application"

10. "Protected Application" checks the presence of session id in cookie,
validates the cookie and if valid, serves the request.

11. After the first request, whenever the user sends a new request to NGINX
for a protected application resource, NGINX sends a subrequest to
"/authenticate" location, "Secure Gateway" verifies its session id in cookie
and if valid, nginx forwards the request to "Protected applicaiton" which
also verifies the login session-id or token and serves the request if valid
session. After frst request Secure Gateway only checks for the validity of
its own session information. This time Secure Gateway will NOT send internal
requests to Protected application.

***********************************************Image Reference of
Design:*********************************
URL : http://tinypic.com/r/35a2lbp/9

This image is missing one thing that its not showing the internal login
request from secure gateway to protected application. For info, this request
is made only once when the user is not a logged in user to secure gateway
application. All subsequent requests does not involve this internal request
flow.

**********************************************NGINX
Configuration***********************************************
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

        proxy_intercept_errors on;
       
    server {
        listen       8180;

                location /{
                        auth_request /authenticate;
                        proxy_pass http://protected;                       
                }

                location = /authenticate {
                        proxy_pass http://secure-gw;
                }
                location =/authfull {
                        proxy_pass http://secure-gw/authenticate;
                        proxy_pass_request_body off;
                        proxy_set_header Content-Length "";
                        proxy_set_header X-Original-URI $request_uri;
                }
                error_page   401 authfull;
        }

        upstream protected {
                server localhost:8280;
    }
               
        upstream secure-gw {
                 server localhost:8080;
    }

}
**********************************************************************Secure
Gateway - SPRING MVC Security
Configs********************************************
        @Override
        protected void configure(HttpSecurity http) throws Exception {
               
        http
        .authorizeRequests()
            .antMatchers("/authenticate").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
        .successHandler(successHandler)
            .loginPage("/authenticate")
            .failureHandler(failureHandler)
            .permitAll()
                     .and().csrf().disable();;
        }

************************************************************UI Login
Form********************************

        <form th:action="@{/authenticate}" method="post">
            <div><label> User Name : <input type="text" name="username"/>
</label></div>
            <div><label> Password: <input type="password" name="password"/>
</label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>

********************************************************************Protected
Resource - Security Configs ***********************************************
        @Override
        protected void configure(HttpSecurity http) throws Exception {
                http.authorizeRequests().anyRequest().authenticated().and().formLogin()
                                .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and()
                                .logout().permitAll().and().exceptionHandling().accessDeniedHandler(accessDeniedHandler())
                                .authenticationEntryPoint(authenticationEntryPoint).and().csrf().disable();
        }
****************************************************************************************************************************************************************


Hope, I am able to clarify what I am doing. I can share the sample code if
you think its requried.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273544#msg-273544

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

Francis Daly
On Wed, Apr 12, 2017 at 05:50:56AM -0400, zaidahmd wrote:

Hi there,

> Below I will explain my application with NGINX configuration I have
> performed and the code snippets/references for future users.
 
I've read your description, and I confess I'm not sure what benefit
auth_request within nginx gives you. It looks like your application is
doing its own auth check on every request anyway, so having nginx do
the same thing seems redundant. I'm probably missing something.

That's ok; I don't need to understand it.

> Secondly, I am able to complete my configuraiton successfully and got it
> working and now in testing and expanding the functionality.

You now have a working system; that's good.

The bonus piece would be if you found that some words in some
documentation were unclear; and if you now know what words would have
made it clear to you the first time you read it; then sharing those new
words might let that piece of documentation become updated so that it
will be clear for the next person reading it for the first time.

Doing the work to prepare those words will be of no benefit to you,
of course, so it's not a problem if it does not suit you to do it.


It's good that you have solved the problem you had.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

t.nishiyori
Hi Francis,

> I've read your description, and I confess I'm not sure what benefit
> auth_request within nginx gives you. It looks like your application is
> doing its own auth check on every request anyway, so having nginx do
> the same thing seems redundant. I'm probably missing something.

can u please tell me the concept and usage of auth_request module. What I
understood from the documentation is stated
below."http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"

Auth_Request Understanding:
      If the auth requirement of an application is to use something other
than BASIC or jwt THEN use auth_request. auth_request can be used to send
each request to a custom authentication application and get the requests
authenticated from that application. NGINX will send a subrequest to
auth_request application for each incoming client request. (This is the same
logic which MAXIM told me in the previous replies.
"https://forum.nginx.org/read.php?2,273515,273516#msg-273516")


************************** MAXIM's Reply Below
****************************************
> You misunderstood what auth_request does. Instead, it issues a
> subrequest for every incoming request, and allows further
> processing of the request if and only if the subrequest returns
> 200. No attempts are made to look into the response returned for
> the original request, that is, "protected application"
************************** END MAXIM's
Reply****************************************

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273586#msg-273586

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx - API Gateway is not forwarding the request to Auth Service

Francis Daly
On Thu, Apr 13, 2017 at 01:00:20AM -0400, zaidahmd wrote:

Hi there,

> > I've read your description, and I confess I'm not sure what benefit
> > auth_request within nginx gives you. It looks like your application is
> > doing its own auth check on every request anyway, so having nginx do
> > the same thing seems redundant. I'm probably missing something.
>
> can u please tell me the concept and usage of auth_request module. What I

My understanding is that the auth_request module is especially useful
if you want some degree of authorization, but the application you want
to protect does not implement it.

> understood from the documentation is stated
> below."http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"

For what it's worth, when I read the above url, the understanding I come
to does not exactly match the paragraph you write.

But that does not really matter: you have a configuration that does what
you want it to do. So what you have is good.

If you particularly want to test whether auth_request does anything
useful in your case, use a test system with the same configuration,
and remove the auth_request lines. If the effective behaviour changes,
then the lines were doing something that matters.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...