1

My task is to configure Kerberos authentication on nginx. The backend is django. The idea is that when a request is made to api, nginx should perform kerberos authentication. But in case the user is not in the domain, then a redirect to the /auth authorization page must occur, so that the user can authenticate under an account that is registered in django CMS.

Authentication of domain users is successful. But there is a problem with non-domain users. When you open a site page that makes an api call, a basic authentication window appears. I use the auth_gss_allow_basic_fallback off directive, but this does not help.

How can I disable this and configure redirection to /auth?

My configuration file (I do not specify settings such as gzip, headers, etc.):

server { listen 80; server_name srv-01.example.com; proxy_set_header remote-user $remote_user; location / { root /opt/site/; try_files $uri $uri/ /index.html; } location /adminpanel { proxy_pass http://192.168.1.4:4567; } location /api { proxy_pass http://192.168.1.4:4567; auth_gss on; auth_gss_realm EXAMPLE.COM; auth_gss_keytab /etc/krb5.keytab; auth_gss_service_name HTTP/srv-01.example.com; auth_gss_allow_basic_fallback off; }}

Thanks for the help!

Improve this question

1 Answer 1

Reset to default
0

I may be wrong, but I think API calls you make via AJAX will not have the authentication credentials attached. The browser will attach them for URL navigation only

I have a very similar setup and its working for me:

The default / handler points to the login dialog but /auto-login is under auth_gss

Note that nginx returns 401 if the user is not authenticated in the domain, so by redirecting 401 for this endpoint we can make the non-AD users get the login dialog.

The /auto-login handler just creates the django session cookie and redirects to / so the AD users are logged in directly:

location /auto-login { uwsgi_pass django; include /usr/lib/myapp/wsgi/uwsgi_params; auth_gss on; auth_gss_realm EXAMPLE.COM; auth_gss_service_name HTTP/example.com; auth_gss_allow_basic_fallback off; error_page 401 /; }

if you use a heartbeat endpoint, you can add the same settings to it so that, if the creds are revoked by the admin the user gets kicked out ASAP.

location /heart-beat { uwsgi_pass django; include /usr/lib/myapp/wsgi/uwsgi_params; auth_gss on; auth_gss_realm EXAMPLE.COM; auth_gss_service_name HTTP/example.com; auth_gss_allow_basic_fallback off; }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.