Negotiate key in Www-Authenticate #151

Qngdjas · 2024-10-03T08:57:44Z

Auth is working, thank you for module. Why response return negotiate key in Www-Authenticate header? Nothing seriously in response to backend like #25.
Setting add_header or proxy_set_header isn't working any server's location.

Trace:

curl --negotiate http://app-rr-t.company.com:8080/api/ -v
* Host app-rr-t.company.com:8080 was resolved.
* IPv6: (none)
* IPv4: 10.111.24.219
*   Trying 10.111.24.219:8080...
* Connected to app-rr-t.company.com (10.111.24.219) port 8080
* Server auth using Negotiate with user ''
> GET /api/ HTTP/1.1
> Host: app-rr-t.company.com:8080
> Authorization: Negotiate YIIJSQYGKwYBBQUCoIIJPTCCCTmgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCQMEggj/...QW615ICh5Euq1pI6jlIjMuNjAg3/+DBAoROpcYJOcer2Q7apETEZ431J93IkIaXr1+xrRRPsNe1g=
> User-Agent: curl/8.7.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.26.2
< Date: Thu, 03 Oct 2024 05:04:44 GMT
< Content-Type: application/json
< Content-Length: 63
< Connection: keep-alive
< WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWrDvG/q9JQ==
<
"message": "Welcome to Proxy Backend!", "user": "company_user1"* Request completely sent off
* Connection #0 to host app-rr-t.company.com left intact

Config:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  text/html;

    log_format  main  '$remote_addr - $remote_user [$time_local]  '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        off;

    keepalive_timeout  65;
    types_hash_max_size 4096;

    include /etc/nginx/conf.d/*.conf;

    server {
        error_log /var/log/nginx/gss.log debug;

        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;

        location /api/ {
            proxy_pass http://localhost:8000/;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-User $remote_user;
            proxy_set_header X-Real-IP $remote_addr;

            auth_gss on;
            auth_gss_realm COMPANY.COM;
            auth_gss_keytab /etc/krb5.keytab;
            auth_gss_service_name HTTP/app-rr-t.company.com;
            auth_gss_allow_basic_fallback off;
        }
    }

    server {
        listen 8000 default_server;
        listen [::]:8000 default_server;
        server_name _;

        location / {
            return 200 'Welcome to Proxy Backend! $remote_user';
        }

        location /api/ {
            return 200 'API';
        }
    }

}

Log (seems good 401 -> 200):

2024/10/03 11:31:40 [debug] 26958#26958: *117 http request line: "GET /api/ HTTP/1.1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http uri: "/api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Host: app-rr-t.company.com"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Connection: keep-alive"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Cache-Control: max-age=0"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Upgrade-Insecure-Requests: 1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept-Encoding: gzip, deflate"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header done
2024/10/03 11:31:40 [debug] 26958#26958: *117 event timer del: 4: 183784085
2024/10/03 11:31:40 [debug] 26958#26958: *117 generic phase: 0
2024/10/03 11:31:40 [debug] 26958#26958: *117 rewrite phase: 1
2024/10/03 11:31:40 [debug] 26958#26958: *117 test location: "/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 test location: "api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 using configuration "/api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http cl:-1 max:1048576
2024/10/03 11:31:40 [debug] 26958#26958: *117 rewrite phase: 3
2024/10/03 11:31:40 [debug] 26958#26958: *117 post rewrite phase: 4
2024/10/03 11:31:40 [debug] 26958#26958: *117 generic phase: 5
2024/10/03 11:31:40 [debug] 26958#26958: *117 generic phase: 6
2024/10/03 11:31:40 [debug] 26958#26958: *117 generic phase: 7
2024/10/03 11:31:40 [debug] 26958#26958: *117 generic phase: 8
2024/10/03 11:31:40 [debug] 26958#26958: *117 access phase: 9
2024/10/03 11:31:40 [debug] 26958#26958: *117 SSO auth handling IN: token.len=0, head=0, ret=401
2024/10/03 11:31:40 [debug] 26958#26958: *117 Begin auth
2024/10/03 11:31:40 [debug] 26958#26958: *117 Detect SPNEGO token
2024/10/03 11:31:40 [debug] 26958#26958: *117 SSO auth handling OUT: token.len=0, head=1, ret=401
2024/10/03 11:31:40 [debug] 26958#26958: *117 http finalize request: 401, "/api/?" a:1, c:1
2024/10/03 11:31:40 [debug] 26958#26958: *117 http special response: 401, "/api/?"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http set discard body
2024/10/03 11:31:40 [debug] 26958#26958: *117 HTTP/1.1 401 Unauthorized
Server: nginx/1.26.2
Date: Thu, 03 Oct 2024 08:31:40 GMT
Content-Type: text/html
Content-Length: 581
Connection: keep-alive
WWW-Authenticate: Negotiate

2024/10/03 11:31:40 [debug] 26958#26958: *117 http copy filter: 0 "/api/?"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http finalize request: 0, "/api/?" a:1, c:1
2024/10/03 11:31:40 [debug] 26958#26958: *117 http process request line
2024/10/03 11:31:40 [debug] 26958#26958: *117 http request line: "GET /api/ HTTP/1.1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http uri: "/api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http args: ""
2024/10/03 11:31:40 [debug] 26958#26958: *117 http exten: ""
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Host: app-rr-t.company.com"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Connection: keep-alive"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Cache-Control: max-age=0"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Authorization: Negotiate YIIJSQYGKwYBBQUCoIIJPTCCCTmgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCQMEggj/...y22icHvv8dZBcpGpAVTY0oT0xiSU3dG4rWGwZa
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Upgrade-Insecure-Requests: 1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept-Encoding: gzip, deflate"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header: "Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http header done
2024/10/03 11:31:40 [debug] 26958#26958: *117 test location: "/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 test location: "api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 using configuration "/api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 SSO auth handling IN: token.len=0, head=0, ret=401
2024/10/03 11:31:40 [debug] 26958#26958: *117 Begin auth
2024/10/03 11:31:40 [debug] 26958#26958: *117 Detect SPNEGO token
2024/10/03 11:31:40 [debug] 26958#26958: *117 Token decoded: YIIJSQYGKwYBBQUCoIIJPTCCCTmgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCQMEggj/...y22icHvv8dZBcpGpAVTY0oT0xiSU3dG4rWGwZa0Y1+DQ8rg/FIWlnMttiLq44v
2024/10/03 11:31:40 [debug] 26958#26958: *117 Client sent a reasonable Negotiate header
2024/10/03 11:31:40 [debug] 26958#26958: *117 GSSAPI authorizing
2024/10/03 11:31:40 [debug] 26958#26958: *117 Use keytab /etc/krb5.keytab
2024/10/03 11:31:40 [debug] 26958#26958: *117 Using service principal: HTTP/[email protected]
2024/10/03 11:31:40 [debug] 26958#26958: *117 my_gss_name HTTP/[email protected]
2024/10/03 11:31:40 [debug] 26958#26958: *117 ngx_http_auth_spnego_set_bogus_authorization: bogus user set
2024/10/03 11:31:40 [debug] 26958#26958: *117 user is company_user1
2024/10/03 11:31:40 [debug] 26958#26958: *117 GSSAPI auth succeeded
2024/10/03 11:31:40 [debug] 26958#26958: *117 SSO auth handling OUT: token.len=2381, head=1, ret=0
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "Host"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script var: "app-rr-t.company.com"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "X-Forwarded-For"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script var: "10.110.3.96"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "X-Forwarded-User"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script var: "company_user1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "X-Real-IP"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script var: "10.110.3.96"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "Connection"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: "close"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: ""
2024/10/03 11:31:40 [debug] 26958#26958: *117 http script copy: ""
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Cache-Control: max-age=0"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Authorization: Basic aXZjX1Bhc2hrb3ZEVjpib2d1c19hdXRoX2dzc19wYXNzd2Q="
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Upgrade-Insecure-Requests: 1"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Accept-Encoding: gzip, deflate"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header:
"GET / HTTP/1.0
Host: app-rr-t.company.com
X-Forwarded-For: 10.110.3.96
X-Forwarded-User: company_user1
X-Real-IP: 10.110.3.96
Connection: close
Cache-Control: max-age=0
Authorization: Basic aXZjX1Bhc2hrb3ZEVjpihdXRoX2dzc19wYXNzd2Q=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7

"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http cleanup add: 00005598425F4F50
2024/10/03 11:31:40 [debug] 26958#26958: *117 connect to 127.0.0.1:8000, fd:5 #119
2024/10/03 11:31:40 [debug] 26958#26958: *117 http finalize request: -4, "/api/?" a:1, c:2
2024/10/03 11:31:40 [debug] 26958#26958: *117 http request count:2 blk:0
2024/10/03 11:31:40 [debug] 26958#26958: *117 http run request: "/api/?"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream check client, write event:1, "/api/"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream request: "/api/?"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream send request handler
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream send request
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream send request body
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream request: "/api/?"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http upstream process header
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy status 200 "200 OK"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Server: nginx/1.26.2"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Date: Thu, 03 Oct 2024 08:31:40 GMT"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Content-Type: text/html"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Content-Length: 39"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header: "Connection: close"
2024/10/03 11:31:40 [debug] 26958#26958: *117 http proxy header done
2024/10/03 11:31:40 [debug] 26958#26958: *117 HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 03 Oct 2024 08:31:40 GMT
Content-Type: text/html
Content-Length: 39
Connection: keep-alive
WWW-Authenticate: Negotiate oYGhMIGeoAMKAQChCwYJKoZIgvcSAQICooGJBIGGYIGDBgkqhkiG9xIBAgICAG90MHKgAwIBBaEDAgEPomYwZKADAgEXol0EW6fczeSZEiqF9bI=

Should I isolate auth_gss as a separate location? Maybe there is an alternative solution?

The text was updated successfully, but these errors were encountered:

Qngdjas · 2024-10-04T01:15:16Z

I read https://www.rfc-editor.org/rfc/rfc4559#section-4.1.
Apparently this is normal behavior. But I would still like to know how to hide WWW-Authenticate header

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Negotiate key in Www-Authenticate #151

Negotiate key in Www-Authenticate #151

Qngdjas commented Oct 3, 2024 •

edited

Loading

Qngdjas commented Oct 4, 2024 •

edited

Loading

Negotiate key in Www-Authenticate #151

Negotiate key in Www-Authenticate #151

Comments

Qngdjas commented Oct 3, 2024 • edited Loading

Qngdjas commented Oct 4, 2024 • edited Loading

Qngdjas commented Oct 3, 2024 •

edited

Loading

Qngdjas commented Oct 4, 2024 •

edited

Loading