search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Random CORS errors when changing `SERVER_PORT` fastcgi-param #40

Closed danielc103 closed 4 years ago

danielc103 commented 4 years ago

Description the bug

Changing fastcgi_param SERVER_PORT to 'trick' shibauthorizer causing random CORS errors on proxy_pass. It's not throwing error on any specific resource loading, almost like its timing out of the session. There are no errors/warns in logs. If you need anything specific from the logs please let me know.

Expected behavior

No CORS and normal display of page

Setup & Logs

server {

    listen 8443 ssl;

    ssl_certificate /etc/ssl/tls.crt;
    ssl_certificate_key /etc/ssl/tls.key;

    # server_name is important because it is used by shibboleth for generating SAML URLs
    # Using the catch-all '_' will NOT work.
    server_name test-site.com

    # FastCGI authorizer for Auth Request module
    location = /shibauthorizer {
        fastcgi_param  SERVER_PORT 443;
        internal;
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibauthorizer.sock;
    }

    # FastCGI responder
    location /Shibboleth.sso {
        fastcgi_param  SERVER_PORT 443;
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibresponder.sock;
    }

    # Resources for the Shibboleth error pages. This can be customised.
    location /shibboleth-sp {
        alias /etc/shibboleth/;
    }

    location  / {
        # Add your attributes here. They get introduced as headers
        # by the FastCGI authorizer so we must prevent spoofing.
        shib_request /shibauthorizer;

        ## PROXY SETUP ##
        shib_request_use_headers on;
        proxy_pass https://draw.io
    }
   <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="XML">
        <RequestMap applicationId="default"
                     authType="shibboleth">
            <Host scheme="https" name="test-site.com" port="443"
                  requireSession="true">
            </Host>
        </RequestMap>
    </RequestMapper>

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID=https://test-site.com/shibboleth"
                         REMOTE_USER="eppn"
                         id="default"
                         policyId="default"
                         signing="true"
                         encryption="true">

        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="/Shibboleth.sso" handlerSSL="true"
                redirectLimit="host+whitelist" redirectWhitelist="https://shib.edu/"
                exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
                idpHistory="false" idpHistoryDays="7" cookieProps="https">

Versions and Systems

shibboleth 3.0.4 nginx version: nginx/1.16.0

Additional context

I've tested locally using port 8443 and not changing the SERVER_PORT param and it works fine. No CORS error.

davidjb commented 4 years ago

Check your include file referenced by include fastcgi_params; -- by default it has a SERVER_PORT param which if present would be overriding your customisation. Alternatively, move your fastcgi_param after your include line.

In any case, since this relates to requests to operation of shibauthorizer and shibresponder, it's related to components of the main Shibboleth project (https://www.shibboleth.net/community/lists/ or https://issues.shibboleth.net/) rather than this module so I'm closing the issue accordingly.

Unrelated, but be careful of header injection/spoofing when using shib_request_use_headers on; (eg in case your config wasn't edited to omit directives for clearing request headers). See details at https://github.com/nginx-shib/nginx-http-shibboleth#directives