小贝子编程

Nginx反向代理Websocket身份验证-HTTP 403



我使用Nginx作为Spring启动应用程序的反向代理。我还将Websockets与sockjs和stomp消息一起使用。

这是上下文配置。

<websocket:message-broker application-destination-prefix="/app">
    <websocket:stomp-endpoint path="/localization" >
        <websocket:sockjs/>
    </websocket:stomp-endpoint>
    <websocket:simple-broker prefix="/topic" />
</websocket:message-broker>

这是客户端代码:

var socket = new SockJS(entryPointUrl);
var stompClient = Stomp.over(socket);
var _this = this;
stompClient.connect({}, function () {
    stompClient.subscribe('/app/some-url', function (message) {
         // do some stuff
    });
});

我还为您提供了一些Spring Security保护内容。

@Configuration
@Order(4)
public static class FrontendSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .logout().permitAll();
    }
}

一切都很好,当我在Nginx反向代理后面运行这个应用程序时。这是相反的配置:

    proxy_pass http://testsysten:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # WebSocket support (nginx 1.4)
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    # Max body size
    client_max_body_size 10M;

连接总是以HTTP 403代码失败。

我使用的是1.9.7版本。

你知道为什么客户端没有通过身份验证吗?

我知道类似的问题,比如这个问题,但解决方案根本不起作用。

更新

我设法通过HTTP运行了该应用程序。我需要在Nginx配置中传递CSRF令牌。新配置为:

    proxy_pass http://testsysten:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
    # Default in Spring Boot
    proxy_pass_header X-XSRF-TOKEN;
    # WebSocket support (nginx 1.4)
    proxy_http_version 1.1;

唯一缺少的是通过HTTPS重定向。在Spring日志中,可以看到以下条目:

o.s.w.s.s.t.h.DefaultSockJsService - Processing transport request: GET http://testsystem:80/localization/226/3mbmu212/websocket

似乎Nginx Proxy需要将重写到正确的端口。

我自己解决了这个问题。基本上,如果您想使用Websocket和SpringSecurity,Nginx需要传递一些额外的头值。以下行需要添加到Nginx配置中的location部分:

    # Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
    # Default in Spring Boot and required. Without it nginx suppresses the value
    proxy_pass_header X-XSRF-TOKEN;
    # Set origin to the real instance, otherwise a of Spring security check will fail
    # Same value as defined in proxy_pass
    proxy_set_header Origin "http://testsysten:8080";

尽管我使用的是非常经典的HTTPS配置:,但接受的解决方案对我不起作用

server {
    listen 443 ssl;
    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8888;
    }
...

问题是Spring检查了来源,特别是代码给我带来了麻烦:

// in org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders):
        if ((this.scheme.equals("http") && "80".equals(this.port)) ||
                (this.scheme.equals("https") && "443".equals(this.port))) {
            this.port = null;
        }

在该代码中,方案是"http",端口是8888,它不会被丢弃,因为它不是标准端口

但是浏览器点击https://myserver/443端口被省略,因为它是默认的HTTPS端口。

因此,端口不匹配(空!=8888),原点检查失败。

您可以在SpringWebSockets中禁用源代码检查:

registry.addHandler( resgisterHandler(), "/ws" ).setAllowedOrigins( "*" );

或者(可能更安全)您可以将方案和端口添加到NGINX代理配置:

    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;

如果你感兴趣,这些标题会在中读取

org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders)

用于弹簧套2.2.2+

从Spring Boot 2.2.2版本开始,您应该为这些要考虑的X-Forwarded-*标头添加以下设置:

server.forward-headers-strategy=native

(例如在application.properties中)

我也遇到过类似的问题。我无法使用NGINX的基本Spring Security身份验证。除了设置proxy_pass_header X-XSRF-TOKEN;,我还必须设置underscores_in_headers on;,因为默认情况下,NGINX不允许带有下划线的标头,并且CSRF令牌名为_csrf

所以我的最终配置文件是这样的:

server {
    underscores_in_headers on;
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    root /usr/share/nginx/html;
    index index.html index.htm;
    # Make site accessible from http://localhost/
    server_name localhost;
    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # Uncomment to enable naxsi on this location
            # include /etc/nginx/naxsi.rules
    }
    location /example/ {
            proxy_pass_header X-XSRF-TOKEN;
            proxy_pass      http://localhost:8080/;
    }
}

我在NGINX代理中没有CSRF头的情况下解决了这个问题。

我的堆栈:spring-boot、spring-security(带有redis会话存储)、带有默认STOMP实现的spring-boot-websocket、为前端服务并代理到前端使用的另一个服务的NGINX。

在我第一次使用默认配置显示在NGINX博客这里和这里(复制和粘贴历史):

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    upstream websocket {
        server 192.168.100.10:8010;
    }
    server {
        listen 8020;
        location / {
            proxy_pass http://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }
}

但不要工作,仍然403禁止。

我用下面的配置解决了这个问题(修复websocket真正重要的部分是#websocket Proxy):

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       30010;
        server_name  localhost;
        client_max_body_size 10M;
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
        # Backend API Proxy
        location /api {
            proxy_pass http://192.168.0.100:30080;
            proxy_set_header Host $http_host;
            proxy_set_header Access-Control-Allow-Origin 192.168.0.100;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-NginX-Proxy true;
            rewrite ^/api/?(.*) /$1 break;
            proxy_redirect off;
        }
        # CDN Proxy
        location ~ ^/cdn/(.*) {
            proxy_pass http://192.168.0.110:9000;
            rewrite ^/cdn/(.*) /$1 break;
        }
        # This is the configuration that fix the problem with WebSocket
        # WebSocket Proxy
        location /ws {
            proxy_pass http://192.168.0.120:30090;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
            proxy_set_header Access-Control-Allow-Origin 192.168.0.120;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-NginX-Proxy true;
        }
    }
}

在我的例子(Spring Boot应用程序)中,除了按照接受的答案中的指定设置Origin标头外,我还必须设置Host标头以匹配Origin标头的ip:port,或者完全取消它。

这是我的工作vhost-config:

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        ssl_certificate /etc/ssl/certs/<your-cert-file>.pem;
        ssl_certificate_key /etc/ssl/private/<your-key-file>.key;
        server_name <your-server-fqdn>;
        access_log /var/log/nginx/<your-server-fqdn>.access.log;
        error_log /var/log/nginx/<your-server-fqdn>.error.log error;
        root /srv/www/<your-server-fqdn>;
        index index.html index.html;
        location / {
                try_files $uri $uri/ /index.html;
        }
        location /api {
                proxy_pass http://127.0.0.1:8080/v1;
        }
        location /async-api {
                proxy_pass http://127.0.0.1:8080/stomp;
                proxy_http_version 1.1;
                # either set Host header as follows or get rid of the directive altogether  
                #proxy_set_header Host "127.0.0.1:8080";
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                # Set origin to the real instance, otherwise a of Spring security check will fail
                # Same value as defined in proxy_pass
                proxy_set_header Origin "http://127.0.0.1:8080";
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location /admin-api {
                proxy_pass http://127.0.0.1:8080/api;
        }
}

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium