#616 closed defect (invalid)
Authenticate header on proxy pass is length-limited?
Reported by: | Arne B. | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.4.x |
Keywords: | Cc: | ||
uname -a: | Linux mon 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.2 (Ubuntu 4.8.2-16ubuntu6) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module |
Description
I am trying to use nginx as a proxy for a protected resource.
Nginx is supposed to supply the credentials; a user of the
proxy is supposed to be able to access the protected resource
without entering any credentials
Followed some tutorials, and arrived at this problem:
This works:
# Credentials on protected resource: king:isnaked location /protected/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Authorization "Basic a2luZzppc25ha2Vk"; proxy_pass http://1.2.3.4:1234; }
While this doesn't:
# Credentials on protected resource: admin:a6a437 location /protected/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Authorization "Basic YWRtaW46YTZhNDM3Cg"; proxy_pass http://1.2.3.4:1234; }
(I initially tried with even longer passwords, but came down to this.)
Change History (4)
comment:1 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 10 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
Ah, yes, that must have been a copy and paste mistake (I did a lot of trials, the ticket describes only two of them).
Anyhow, I retested with the correct encoding YWRtaW46YTZhNDM3Cg== to be 100% sure that I didn't do a stupid mistake yesterday.
I can confirm, it does not work. Hence, I am reopening.
comment:3 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
As already shown above, if something doesn't work for you, it doesn't mean that there is a bug. There is no limit you are claiming, and the bug is certainly invalid, closing again. You may want to use mailing list for further question, see http://nginx.org/en/support.html.
As for stupid mistakes, please note that "YWRtaW46YTZhNDM3Cg==" includes newline, and it's highly unlikely it's something your backend expects to be in a password.
comment:4 by , 10 years ago
Ah, the newline. Stupid me. Sorry for opening this bug prematurely then.
In the second example base64 encoding is invalid, there is no required padding, and this likely the reason why it doesn't work - you have to check with your backend for the details. In either case, there is no limit on length of headers added with proxy_set_header.