Opened 9 years ago

Closed 9 years ago

#69 closed defect (wontfix)

remote_user not being passed through to uwsgi from uwsgi_params

Reported by: www.google.com/accounts/o8/id?id=AItOawlhQox4SfAgML9UE13hvpFe6SbFvxiINME Owned by: somebody
Priority: minor Milestone:
Component: nginx-core Version: 1.1.x
Keywords: uwsgi auth remote_user Cc:
uname -a: Linux xxxx.anchor.net.au 3.1.0-1-amd64 #1 SMP Tue Nov 29 13:47:12 UTC 2011 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.1.11
built by gcc 4.6.2 (Debian 4.6.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.1.11/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.1.11/debian/modules/nginx-upstream-fair

Description

Hi,

nginx/trunk/conf/uwsgi_params is missing a line to pass through the $remote_user variable through to UWSGI. This breaks uwsgi hosted applications that need to know who was logged in when auth is enforced.

Could you please add the following line to nginx/trunk/conf/uwsgi_params?

uwsgi_param	REMOTE_USER		$remote_user;

Thanks!

David

Change History (1)

comment:1 by Maxim Dounin, 9 years ago

Resolution: wontfix
Status: newclosed

I believe RFC 3875 (aka CGI) implies that REMOTE_USER have to be set only if request was indeed subject to authentication checks (and at least Apache does this).

Just passing $remote_user in all cases is wrong, as it's set regardless of the authentication fact and may mislead applications to think the user is indeed authenticated. Instead, set the parameter in question in the location where you use authentication. E.g.:

location /app/ {
    auth_basic "auth realm"
    auth_basic_user_file /path/to/file;

    uwsgi_pass ...

    include uwsgi_param;

    uwsgi_param REMOTE_USER $remote_user;
    uwsgi_param AUTH_TYPE Basic;
}
Note: See TracTickets for help on using tickets.