search

atomx / nginx-http-auth-digest

Digest Authentication for Nginx
Other
44 stars 14 forks source link

Force to accpet add_header #17

Closed RicardoSette closed 5 years ago

RicardoSette commented 5 years ago

Hi @erikdubbelboer ,

how to keep existing add_header in nginx settings?

example in nginx.conf:

add_header Strict-Transport-Security "max-age = 15768000";

but in the challenge, plugin removes this header. How could we keep the headers even added in the 401 challenge response?

see full example:

> POST index.php HTTP/1.1
> Host: 127.0.0.1:443
> User-Agent: curl/7.61.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 0
> 
< HTTP/1.1 401 Unauthorized
< Date: Thu, 22 Nov 2018 18:04:12 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 190
< Connection: keep-alive
< Keep-Alive: timeout=20
< WWW-Authenticate: Digest algorithm="MD5", qop="auth", realm="Test", nonce="33fdb5e55bf6ef9c"
< 
* Ignoring the response-body
* Connection #0 to host 127.0.0.1 left intact
* Issue another request to this URL: 'https://127.0.0.1:443/index.php'
* Found bundle for host 127.0.0.1: 0x80381d120 [can pipeline]
* Re-using existing connection! (#0) with host 127.0.0.1
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* Server auth using Digest with user 'desenvolvimento'
> POST index.php HTTP/1.1
> Host: 127.0.0.1:443
> Authorization: Digest username="desenvolvimento", realm="Test", nonce="33fdb5e55bf6ef9c", uri="/index.php", cnonce="M2I2Y2Q4NWE1YTM5OGY0NjM2MGU4OTNkYjYwNzY3NGY=", nc=00000001, qop=auth, response="4fb75007af224d91cc386b7101fb33a3", algorithm="MD5"
> User-Agent: curl/7.61.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 78
> 
* upload completely sent off: 78 out of 78 bytes
< HTTP/1.1 200 OK
< Date: Thu, 22 Nov 2018 18:04:13 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=20
< Authentication-Info: qop="auth", rspauth="50a5a74a1a84e8029e5b76aca72d20b0", cnonce="M2I2Y2Q4NWE1YTM5OGY0NjM2MGU4OTNkYjYwNzY3NGY=", nc=00000001
< Strict-Transport-Security: max-age=15768000
<

See in response 401, don't have header Strict-Transport-Security

< HTTP/1.1 401 Unauthorized
< Date: Thu, 22 Nov 2018 18:04:12 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 190
< Connection: keep-alive
< Keep-Alive: timeout=20
< WWW-Authenticate: Digest algorithm="MD5", qop="auth", realm="Test", nonce="33fdb5e55bf6ef9c"
<
erikdubbelboer commented 5 years ago

You have to tell nginx to always send the header no matter the response code using the always keyword:

add_header Strict-Transport-Security "max-age = 15768000" always;

See the documentation: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header