我有一个nginx反向代理,我正试图让一个IIS网站登录后面工作.我已经多次问过这个问题了,但每个答案看起来都不一样了,有些问题与我遇到的问题略有不同.
使用我当前的配置,我可以进入登录,但我收到401错误,它一直在要求凭据.
我当前的配置:
在/ etc / nginx的/网站可用/默认
server {
listen 80 default;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name server2.mydomain.com;
ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.0.20:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
}
我的问题是,这应该是什么工作的正确方法?
这是我到目前为止所研究的内容:
This链接,说是不可能的.
This链接,说我应该在上游使用keepalive.这可能就是答案,但每当我添加一个带有任何配置的上游server2.mydomain.com时,nginx都无法重启.我确定我的语法不正确,但我尝试了几件事.我会发布我尝试过的所有内容,但我甚至不确定这是正确的方法,而且我已经尝试了很多东西,我认为只询问一般人群如何做到这一点会更容易.
This链接,说你可以添加一个proxy_pass_request_headers;线,它会以某种方式工作……但它不适合我.
This链接,似乎最有可能工作,但在试图弄清楚如何使用this链接编码到base64后,我无处可去.
任何帮助是极大的赞赏. Here是我提出的上一个问题,与此有关,但问题不同.
EDIT1
我很抱歉这么晚,已经离开了一段时间.
这是我的nginx反向代理服务器的访问日志. 192.168.0.5是我的客户FYI.
这些日志来自我访问该站点,获取登录提示,尝试登录一次(没有成功),并退出登录提示.
/var/log/nginx/access.log
192.168.0.5 - - [09/Feb/2016:14:04:14 -0600] "GET / HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0"
192.168.0.5 - - [09/Feb/2016:14:04:31 -0600] "GET / HTTP/1.1" 401 341 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0"
192.168.0.5 - - [09/Feb/2016:14:04:31 -0600] "GET / HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0"
192.168.0.5 - - [09/Feb/2016:14:04:34 -0600] "GET /favicon.ico HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0"
/var/log/nginx/error.log
This file is empty
IIS日志
2016-02-11 19:39:22 192.168.0.20 GET /login - 80 - 192.168.0.10 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Ubuntu+Chromium/45.0.2454.101+Chrome/45.0.2454.101+Safari/537.36 401 2 5 125
2016-02-11 19:39:28 192.168.0.20 GET /login - 80 - 192.168.0.10 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Ubuntu+Chromium/45.0.2454.101+Chrome/45.0.2454.101+Safari/537.36 401 1 21480424 0
2016-02-11 19:39:36 192.168.0.20 GET /login - 80 - 192.168.0.10 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Ubuntu+Chromium/45.0.2454.101+Chrome/45.0.2454.101+Safari/537.36 401 1 21480724 0
2016-02-11 19:40:16 192.168.0.20 GET /login - 80 - 192.168.0.10 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Ubuntu+Chromium/45.0.2454.101+Chrome/45.0.2454.101+Safari/537.36 401 1 21407424 15
2016-02-11 19:40:22 192.168.0.20 GET /login - 80 - 192.168.0.10 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Ubuntu+Chromium/45.0.2454.101+Chrome/45.0.2454.101+Safari/537.36 401 1 21480742 0
登录没有安全性错误,因此我猜它实际上从未向系统提交登录信息.每次点击“登录”时,它都会再次给我一个登录弹出窗口.
Live HTTP Headers插件输出
https://server2.mydomain.com/
GET / HTTP/1.1
Host: server2.mydomain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.6 (Ubuntu)
Date: Tue,09 Feb 2016 19:21:04 GMT
Content-Type: text/html
Content-Length: 1293
Connection: keep-alive
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
----------------------------------------------------------
https://server2.mydomain.com/
GET / HTTP/1.1
Host: server2.mydomain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,deflate
Connection: keep-alive
Authorization: NTLM TlRNTVMTUAAAB4IIAAAAAAAAAAAAACDAFGAAAAAAAAAAAAAAAAA=
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.6 (Ubuntu)
Date: Tue,09 Feb 2016 19:22:00 GMT
Content-Type: text/html; charset=us-ascii
Content-Length: 341
Connection: keep-alive
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAuzKir6ADucAAAAAAAAAAL4A&%$DSDADvgBSAAAABgGxHQAAAA9HAEUARQBLAFMAQQBOAEQATgBFAFIARABTAAIAGgBHRQBLAFMAQQBOAEQATgBFDFAFIARABTAAEADABLAEUATABWAEkATgAEACIAZwBlAGUAawBzAGEAbgBkAG4AZQByAGQAcwAuAGMAbwBtAAMAMABLAEUATABWAEkATgAuAGcAZQBlAGsAcwBhAG4AZABuAGUAcgBkAHMALgBjAG8AbQAFACIAZwBlAGUAawBzAGEAbgBkAG4AZQByAGQAcwAuAGMAbwBtAAcACAABRuM1b2PRAQAAAAA=
----------------------------------------------------------
https://server2.mydomain.com/
GET / HTTP/1.1
Host: server2.mydomain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,deflate
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHAAAADqAOoAiAAAAAAAAAAGgAaAEAAAAAWABYAWgAAAAAAAAAAAAAABYIIAGEAbQBhAG4AZABhAC4AYgBsAG8AdQBuAHQAVwBPAFIASwBTAFQAQQBUAEkATwBOAHorEf/j46zta4wONTUAADAA-98uH//ZL0Am16vGzdWutoAAAAGAAYAHQAAAAAAAACFdzVEB9QHmLWLCuQQAAAAAAgAaAEcARQBFAEsAUwBBAE4ARABOAEUAUgBEAFMAAQAMAEsARQBMAFYASQBOAAQAIgBnAGUAZQBrAHMAYQBuAGQAbgBlAHIAZABzAC4AYwBvAG0AAwAwAEsARQBMAFYASQBOAC4AZwBlAGUAawBzAGEAbgBkAG4AZQByAGQAcwAuAGMAbwBtAAUAIgBnAGUAZQBrAHMAYQBuAGQAbgBlAHIAZABzAC4AYwBvAG0ABwAIAAFG4zVvY9EBAAAAAA==
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.6 (Ubuntu)
Date: Tue,09 Feb 2016 19:22:00 GMT
Content-Type: text/html
Content-Length: 1293
Connection: keep-alive
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
----------------------------------------------------------
EDIT2 – 为清楚起见,这是IP的设置.
客户端机器
192.168.0.5
Ubuntu 14.04桌面
反向代理服务器
192.168.0.10
nginx 1.4.6
Ubuntu 14.04服务器
服务器2
192.168.0.20
server2.mydomain.com
的Apache2
Ubuntu 14.04服务器
编辑3 – 也许这有效,我做错了,……也许不是
从this发表,Fizz写的答案.
我试过这个
在/ etc / nginx的/网站可用/默认
server {
listen 80 default;
server_name _;
return 301 https://$host$request_uri;
}
upstream server2.mydomain.com {
server 192.168.0.20:80
keepalive 16;
}
server {
listen 443 ssl;
server_name server2.mydomain.com;
ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.0.20:80;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
}
结果相同.基于其他答案….也许apache2是更好的方式去?
EDIT4 – 根据Maxim Dounin的回答编辑
我现在正在尝试使用Nginx 1.9.9,以及Maxim Dounin的答案中提到的流代理方法.
我从源代码编译,所以我的文件位置现在不同了.
/opt/nginx/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
stream {
upstream backend {
hash $remote_addr consistent;
server server2.mydomain.com:80 weight=5;
server 192.168.0.20:80 max_fails=3 fail_timeout=30s;
}
server {
listen 443 ssl; #Line 27
server_name server2.mydomain.com;
ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass backend;
}
# server {
# listen [::1]:12345;
# proxy_pass unix:/tmp/stream.socket;
# }
}
我注释掉了最后推荐的服务器系列,因为我不知道该怎么做,但由于其他错误,我的配置文件无法到达那里.现在我的/opt/nginx/logs/error.log遇到第27行的问题
the "ssl" parameter requires ngx_stream_ssl_module in /opt/nginx/nginx.conf:27
我肯定用ngx_stream_ssl_module编译,因为当我做一个nginx -V我得到配置参数: – with-stream
希望我走在正确的轨道上.
问题是NTLM authentication(注意WWW-Authenticate:NTLM …),AKA Windows身份验证.
NTLM身份验证验证连接而不是请求,这与HTTP协议有些矛盾,HTTP协议预计是无状态的.因此,它通常不会通过代理工作,包括nginx.
最简单的解决方案是在IIS端将身份验证更改为“基本”.如果由于某种原因这不是一个选项,其他可能性包括:
>在nginx 1.9.x中使用stream proxy.这将映射从客户端到上游服务器的连接,因此NTLM身份验证将起作用.
>使用商业nginx版本中提供的ntlm功能.
请注意,有一些建议使用上游和keepalive进行NTLM身份验证.这些建议不正确且有害 – 除非您仅为一个用户使用代理.最糟糕的是它似乎可以正常工作.问题是与上游服务器的keepalive连接保存在公共缓存中,这些连接可用于所有客户端.因此,如果缓存中存在经过身份验证的连接,则碰巧使用此连接的无关客户端将能够绕过身份验证.
