Nginx代理到S3 bucket
我有一个nginx代理通过Linode到S3桶。
配置正常
我的Nginx配置在基本auth被禁用时工作正常,就像这样。(现在请忽略一些配置是重复的,我这样做是因为我想在以后禁用/API和/images的auth_basic)。但是请自由回复,不要重复行。
location /api {
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /images {
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/images;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
此配置不起作用
location /api {
auth_basic off; # ADDED THIS LINE
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_headers Authorization; # ADDED THIS LINE
proxy_hide_header Authorization; # ADDED THIS LINE
}
location /images {
auth_basic off; # ADDED THIS LINE
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com/images;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_headers Authorization; # ADDED THIS LINE
proxy_hide_header Authorization; # ADDED THIS LINE
}
location / {
auth_basic "Restricted Access"; # ADDED THIS LINE
auth_basic_user_file {MY_PATH_HERE}; # ADDED THIS LINE
proxy_http_version 1.1;
proxy_pass https://mydomainhere.eu-central-1.linodeobjects.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_headers Authorization; # ADDED THIS LINE
proxy_hide_header Authorization; # ADDED THIS LINE
}
基本身份验证工作正常。我在访问/
时要求输入密码,而在访问api/
和images/
时not要求输入密码。当没有通过基本身份验证时,我也从api/api.json
获得了有效的响应。
问题是
问题是,当我通过基本身份验证(在每个端点上,我随后访问)登录时,我得到了一个400错误。不知何故,我认为附加的基本身份验证头被发送到S3,我试图禁用它:
proxy_ignore_headers Authorization;
proxy_hide_header Authorization;
如上例所示。但这没有任何效果。
调试信息
从浏览器发送到nginx的头文件是(未启用基本身份验证):
:authority: mydomainhere
:method: GET
:path: /api/api.json
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: nl-NL,nl;q=0.8
cache-control: max-age=0
if-modified-since: Wed, 22 Mar 2023 13:18:15 GMT
if-none-match: "2bcd098e106ce6a7b9961217c965127c"
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
sec-gpc: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
从浏览器发送到nginx的头部是(WITHbasic auth enabled):
:authority: mydomainhere
:method: GET
:path: /api/api.json
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: nl-NL,nl;q=0.8
authorization: Basic somekeyhere
cache-control: max-age=0
if-modified-since: Wed, 22 Mar 2023 13:18:15 GMT
if-none-match: "2bcd098e106ce6a7b9961217c965127c"
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
sec-gpc: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
添加了这一行:
授权:Basic somekeyhere
结论及问题
我想实现人们在访问我的/
网站时使用基本身份验证登录。我的网站是托管在Linode上的静态网站(S3上的对象存储)。我不希望文件夹/images/
和/api
使用基本身份验证保护。我如何使用NGINX实现这一点?并记住我上面尝试过的事情。
额外信息
我的域名服务器和域名通过cloudflare,我不认为Cloudflare与它有任何关系,但可以肯定的是,我提到了这一点。我有skipped
从cloudflare的保护(子)域本身,因为它是由基本的身份验证保护。
1条答案
按热度按时间ff29svar1#
我通过替换来解决它:
用于: