如何在 401 上覆盖 WWW-Authenticate
How to override WWW-Authenticate on 401
我有一项服务 returns:
WWW-Authenticate: Negotiate, Basic realm="TM1"
从这个 doesn't work with libcurl 开始,我正在尝试使用 nginx 修改那些 headers,如下所示:
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="TM1"
我失败的尝试#1:
http {
proxy_intercept_errors on;
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
add_header "Status is" "${status}" always;
if ($status = 401) {
add_header WWW-Authenticate 'Basic realm="TM1"' always;
add_header WWW-Authenticate 'Negotiate' always;
}
}
}
}
测试:
$ curl -sv http://localhost:10103/api/v1/Configuration
* Trying 127.0.0.1:10103...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 10103 (#0)
> GET /api/v1/Configuration HTTP/1.1
> Host: localhost:10103
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.18.0
< Date: Tue, 09 Jun 2020 14:09:14 GMT
< Content-Type: text/plain
< Content-Length: 0
< Connection: keep-alive
< OData-Version: 4.0
< Set-Cookie: TM1SessionId=rc6xBs4_ZtKRTA3IyIBRIA; Path=/api/; HttpOnly; Secure
< Status is: 401
<
* Connection #0 to host localhost left intact
为什么 if ($status = 401) 不起作用?
我失败的尝试 #2(无论如何 If is Evil):
http {
proxy_intercept_errors on;
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
error_page 401 = @401;
}
location @401 {
proxy_hide_header WWW-Authenticate;
# Preferably, only set those available in $http_www_authenticate
add_header WWW-Authenticate 'Basic realm="TM1"' always;
add_header WWW-Authenticate 'Negotiate' always;
return 401 "Authentication required";
}
}
}
测试:
$ curl -sv http://localhost:10103/api/v1/Configuration
Authentication required* Trying 127.0.0.1:10103...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 10103 (#0)
> GET /api/v1/Configuration HTTP/1.1
> Host: localhost:10103
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.18.0
< Date: Tue, 09 Jun 2020 14:10:16 GMT
< Content-Type: text/plain
< Content-Length: 23
< Connection: keep-alive
< WWW-Authenticate: Negotiate, Basic realm="TM1"
< WWW-Authenticate: Basic realm="TM1"
< WWW-Authenticate: Negotiate
<
{ [23 bytes data]
* Connection #0 to host localhost left intact
为什么proxy_hide_header不起作用?(不管我在哪里设置)
还是更好的方法?
您第一个问题的答案可以在您提供的 if-is-evil link 下找到(请参阅该页面上示例配置的第一个 location 块)。我没有回答你的第二个问题(non-working proxy_hide_header 在这种情况下也让我感到惊讶),但由于上游 header 在第一个配置中被隐藏,你可以试试这个一:
http {
map $status $auth1 {
401 'Basic realm="TM1"';
}
map $status $auth2 {
401 'Negotiate';
}
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
add_header WWW-Authenticate $auth1 always;
add_header WWW-Authenticate $auth2 always;
}
}
}
我有一项服务 returns:
WWW-Authenticate: Negotiate, Basic realm="TM1"
从这个 doesn't work with libcurl 开始,我正在尝试使用 nginx 修改那些 headers,如下所示:
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="TM1"
我失败的尝试#1:
http {
proxy_intercept_errors on;
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
add_header "Status is" "${status}" always;
if ($status = 401) {
add_header WWW-Authenticate 'Basic realm="TM1"' always;
add_header WWW-Authenticate 'Negotiate' always;
}
}
}
}
测试:
$ curl -sv http://localhost:10103/api/v1/Configuration
* Trying 127.0.0.1:10103...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 10103 (#0)
> GET /api/v1/Configuration HTTP/1.1
> Host: localhost:10103
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.18.0
< Date: Tue, 09 Jun 2020 14:09:14 GMT
< Content-Type: text/plain
< Content-Length: 0
< Connection: keep-alive
< OData-Version: 4.0
< Set-Cookie: TM1SessionId=rc6xBs4_ZtKRTA3IyIBRIA; Path=/api/; HttpOnly; Secure
< Status is: 401
<
* Connection #0 to host localhost left intact
为什么 if ($status = 401) 不起作用?
我失败的尝试 #2(无论如何 If is Evil):
http {
proxy_intercept_errors on;
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
error_page 401 = @401;
}
location @401 {
proxy_hide_header WWW-Authenticate;
# Preferably, only set those available in $http_www_authenticate
add_header WWW-Authenticate 'Basic realm="TM1"' always;
add_header WWW-Authenticate 'Negotiate' always;
return 401 "Authentication required";
}
}
}
测试:
$ curl -sv http://localhost:10103/api/v1/Configuration
Authentication required* Trying 127.0.0.1:10103...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 10103 (#0)
> GET /api/v1/Configuration HTTP/1.1
> Host: localhost:10103
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.18.0
< Date: Tue, 09 Jun 2020 14:10:16 GMT
< Content-Type: text/plain
< Content-Length: 23
< Connection: keep-alive
< WWW-Authenticate: Negotiate, Basic realm="TM1"
< WWW-Authenticate: Basic realm="TM1"
< WWW-Authenticate: Negotiate
<
{ [23 bytes data]
* Connection #0 to host localhost left intact
为什么proxy_hide_header不起作用?(不管我在哪里设置)
还是更好的方法?
您第一个问题的答案可以在您提供的 if-is-evil link 下找到(请参阅该页面上示例配置的第一个 location 块)。我没有回答你的第二个问题(non-working proxy_hide_header 在这种情况下也让我感到惊讶),但由于上游 header 在第一个配置中被隐藏,你可以试试这个一:
http {
map $status $auth1 {
401 'Basic realm="TM1"';
}
map $status $auth2 {
401 'Negotiate';
}
server {
listen 10103;
server_name localhost;
location / {
proxy_pass https://tm1server:10103;
proxy_intercept_errors on;
proxy_hide_header WWW-Authenticate;
add_header WWW-Authenticate $auth1 always;
add_header WWW-Authenticate $auth2 always;
}
}
}