Skip to content

Authorization header gets modified on proxy #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
penumbra23 opened this issue Aug 10, 2023 · 3 comments · Fixed by #106
Closed

Authorization header gets modified on proxy #105

penumbra23 opened this issue Aug 10, 2023 · 3 comments · Fixed by #106

Comments

@penumbra23
Copy link
Contributor

Description

When Nginx proxies the request to an upstream, the Authorization header gets modified.

Basically, if the request holds Authorization: Bearer ey... the server cuts the Bearer part, which is kinda odd if the upstream expects the Bearer. Imho, the request shouldn't be modified by the auth plugin.

Test case

Here's a Docker compose file to test it:

version: '3.7'

services:
  nginx:
    image: teslagovnginx:latest
    ports:
    - 8080:8080
    volumes:
    - ./key.pem:/app/keys/ssh-publickey
    - ./nginx_main.conf:/etc/nginx/nginx.conf
    - ./nginx.conf:/etc/nginx/conf.d/nginx.conf

  echo:
    image: jmalloc/echo-server

nginx_main.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log info;
pid        /var/run/nginx.pid;

load_module /usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so;

events {
    worker_connections  1024;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  upstream_time  '$remote_addr $sent_http_x_userid [$time_local] "$request" '
          '$status $body_bytes_sent "$http_referer" '
          '"$http_user_agent" "$http_x_forwarded_for" '
          'rt="$request_time" uct="$upstream_connect_time" '
          'uht="$upstream_header_time" urt="$upstream_response_time" '
          '$sent_http_x_email';

  access_log  /var/log/nginx/access.log  upstream_time;

  sendfile        on;

  client_body_timeout 12;
  client_header_timeout 12;
  send_timeout 10;
  keepalive_timeout  30;

  client_body_buffer_size 10K;
  client_header_buffer_size 1k;

  proxy_set_header Host                  $host;
  proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto     $scheme;
  proxy_set_header X-Forwarded-Server    $remote_addr;

  include /etc/nginx/conf.d/*.conf;
}

nginx.conf:

server {
    listen       8080;
    server_name  _;
    client_max_body_size 50m;

    location / {
        auth_jwt_enabled on;
        auth_jwt_location HEADER=Authorization;
        auth_jwt_algorithm RS256;
        auth_jwt_use_keyfile on;
        auth_jwt_keyfile_path "/app/keys/ssh-publickey";

        proxy_pass    http://echo:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
    }
}

Then if you run:
curl localhost:8080 -H 'Authorization: Bearer eyJhbGc...'

the response is:

GET / HTTP/1.0

Host: localhost
Accept: */*
Authorization: eyJhbGc...

Possible solution:

I've created a possible fix on my branch. It was editing the pointer value which is a string, which means it modifies the header value directly.

Let me know what you think.
@JoshMcCullough
Copy link
Contributor

Good catch, will fix!

@JoshMcCullough JoshMcCullough mentioned this issue Aug 10, 2023
Merged
@JoshMcCullough
Copy link
Contributor

@penumbra23 feel free to review the attached PR, then we'll get this merged and new binaries released.

@penumbra23
Copy link
Contributor Author

Tested it locally on your branch, works!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix issue with "Bearer" being removed from header TeslaGov/ngx-http-auth-jwt-module
2 participants
@JoshMcCullough @penumbra23