DaAwesomeP
commented
2 years ago Hmmm I may be having some other unrelated issue; I will troubleshoot more and try to find out!
Closed DaAwesomeP closed 2 years ago
DaAwesomeP
commented
2 years ago Hmmm I may be having some other unrelated issue; I will troubleshoot more and try to find out!
DaAwesomeP
commented
2 years ago OK, I have confirmed that this is my issue.
davidjb
commented
2 years ago The shib_request directive uses subrequests and needs to refer to a URI inside the current server block (e.g. an Nginx location block rather than a full URL). If you want to proxy the subrequest, create a location block and use proxy_pass (like https://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
However, it sounds like what you might be looking for is to configure your Shibboleth SP to work with multiple hostnames. If so, this is a matter of configuring the <RequestMapper> and other config accordingly -- see https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst#configuring-shibboleth-s-shibboleth2-xml-to-recognise-secured-paths= and the main Shibboleth docs on configuration.
Description the bug
Cannot use
shib_requestwith a full URL with hostname.Expected behaviour
Trying to use one Shibboleth endpoint for multiple vhosts on one Nginx instance/host. So
vhost1.mydomain.organdvhost2.mydomain.orgwould attempt to authorize withhttps://machine-hostname.mydomain.org/shibauthorizerSteps to Reproduce Issue
shib_request https://machine-hostname.mydomain.org/shibauthorizer;to a location block for a server/vhost that is notmachine-hostname.mydomain.org.Setup & Logs
Nothing is logged (as expected with FastCGI).
Versions and Systems
nginx version: nginx/1.20.2 shibboleth 3.2.2 nginx-http-shibboleth v2.0.1
Additional context
Please let me know if this is just a bad idea and if each vhost should have its own Shibboleth endpoints.