Occasionally authorization is not granted

rabb1t commented 9 years ago

Hello, David!

First of all thank you for the work you've done on this module and for all great articles you've written! I've found very strange problem and hope you can point me in the right direction.

Sometimes when I'm trying to login via shibboleth the variable 'REMOTE_USER' is set correctly but sometimes it's not. Nginx's log files indicates that shibboleth daemon provides proper variable 'Variable-REMOTE_USER' and the shibboleth module copies it correctly on every single request shib request authorizer copied header: "REMOTE_USER: john.doe@local.lan"

But periodically it seems that somehow this header isn't transmitted properly further to Nginx. Any help on this problem will be appreciated!

Here are the cut of nginx error.log files:

Authorization is granted:

: *3 try files phase: 14
: *3 http init upstream, client timer: 0
: *3 http script copy: "SCRIPT_FILENAME"
: *3 http script var: "/etc/nginx/html"
: *3 http script var: "/shib-login/"
: *3 fastcgi param: "SCRIPT_FILENAME: /etc/nginx/html/shib-login/"
: *3 http script copy: "PATH_INFO"
: *3 http script var: "/shib-login/"
: *3 fastcgi param: "PATH_INFO: /shib-login/"
: *3 http script copy: "HTTPS"
: *3 http script copy: "on"
: *3 fastcgi param: "HTTPS: on"
: *3 http script copy: "HTTP_SCHEME"
: *3 http script copy: "https"
: *3 fastcgi param: "HTTP_SCHEME: https"
: *3 http script copy: "SERVER_PROTOCOL"
: *3 http script var: "HTTP/1.1"
: *3 fastcgi param: "SERVER_PROTOCOL: HTTP/1.1"
: *3 http script copy: "QUERY_STRING"
: *3 http script var: "next=/home/my/"
: *3 fastcgi param: "QUERY_STRING: next=/home/my/"
: *3 http script copy: "REQUEST_METHOD"
: *3 http script var: "GET"
: *3 fastcgi param: "REQUEST_METHOD: GET"
: *3 http script copy: "CONTENT_TYPE"
: *3 fastcgi param: "CONTENT_TYPE: "
: *3 http script copy: "CONTENT_LENGTH"
: *3 fastcgi param: "CONTENT_LENGTH: "
: *3 http script copy: "SERVER_ADDR"
: *3 http script var: "192.168.231.224"
: *3 fastcgi param: "SERVER_ADDR: 192.168.231.224"
: *3 http script copy: "SERVER_PORT"
: *3 http script var: "443"
: *3 fastcgi param: "SERVER_PORT: 443"
: *3 http script copy: "SERVER_NAME"
: *3 http script var: "seafile.local.lan"
: *3 fastcgi param: "SERVER_NAME: seafile.local.lan"
: *3 http script copy: "REMOTE_ADDR"
: *3 http script var: "192.168.230.1"
: *3 fastcgi param: "REMOTE_ADDR: 192.168.230.1"
: *3 http script copy: "CLIENT_CERTIFICATE"
: *3 fastcgi param: "CLIENT_CERTIFICATE: "
: *3 http script copy: "REMOTE_USER"                    <=====8=== NOT EMPTY!
: *3 http script var: "john.doe@local.lan"              <=====8=== NOT EMPTY!
: *3 fastcgi param: "REMOTE_USER: john.doe@local.lan"
: *3 fastcgi param: "HTTP_HOST: seafile.local.lan"
: *3 fastcgi param: "HTTP_CONNECTION: keep-alive"
: *3 fastcgi param: "HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
: *3 fastcgi param: "HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36"
: *3 fastcgi param: "HTTP_DNT: 1"
: *3 fastcgi param: "HTTP_REFERER: https://seafile.local.lan/accounts/login/?next=/home/my/"
: *3 fastcgi param: "HTTP_ACCEPT_ENCODING: gzip, deflate, sdch"
: *3 fastcgi param: "HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8,ru;q=0.6"
: *3 fastcgi param: "HTTP_COOKIE: _shibsession_64656661756c7468747470733a2f2f626f782e6b6173706572736b792e636f6d2f736869622d6c6f67696e2f=_4c17973813a257c94b21c7289995784a; seahub_auth="john.doe@local.lan@74ff75de607924e25c2cc781536ead324f1a4686"; csrftoken=56tYHbERpghhXplnJAwUVr9DMd5wKzL3; sessionid=mivnupl0aj5kj470jiv8vww8j1ivx81s"
: *3 fastcgi param: "HTTP_AUTH_TYPE: shibboleth"
: *3 fastcgi param: "HTTP_REMOTE_USER: john.doe@local.lan"
: *3 fastcgi param: "HTTP_SHIB_APPLICATION_ID: default"
: *3 fastcgi param: "HTTP_SHIB_AUTHENTICATION_INSTANT: 2015-06-10T08:01:42.467Z"
: *3 fastcgi param: "HTTP_SHIB_AUTHENTICATION_METHOD: urn:federation:authentication:windows"
: *3 fastcgi param: "HTTP_SHIB_AUTHNCONTEXT_CLASS: urn:federation:authentication:windows"
: *3 fastcgi param: "HTTP_SHIB_IDENTITY_PROVIDER: https://sts.local.lan/adfs/services/trust"
: *3 fastcgi param: "HTTP_SHIB_SESSION_ID: _4c17973813a257c94b21c7289995784a"
: *3 fastcgi param: "HTTP_EPPN: john.doe@local.lan"
: *3 http cleanup add: 0000000001467A30
: *3 get rr peer, try: 1
: *3 socket 16
: *3 epoll add connection: fd:16 ev:80002005
: *3 connect to 127.0.0.1:8000, fd:16 #3
: *3 http upstream connect: -2
: *3 posix_memalign: 00000000013B1E50:128 @16
: *3 event timer add: 16: 60000:1433934768775
: *3 http finalize request: -4, "/shib-login/?next=/home/my/" a:1, c:2
: *3 http request count:2 blk:0

Authorization is not granted:

: *3 shib request handler
: *3 shib request set variables
: *3 shib request authorizer handler
: *3 shib request authorizer allows access
: *3 shib request authorizer copied header: "AUTH_TYPE: shibboleth"
: *3 shib request authorizer copied header: "REMOTE_USER: john.doe@local.lan"
: *3 shib request authorizer copied header: "Shib-Application-ID: default"
: *3 shib request authorizer copied header: "Shib-Authentication-Instant: 2015-06-10T08:01:42.467Z"
: *3 shib request authorizer copied header: "Shib-Authentication-Method: urn:federation:authentication:windows"
: *3 shib request authorizer copied header: "Shib-AuthnContext-Class: urn:federation:authentication:windows"
: *3 shib request authorizer copied header: "Shib-Identity-Provider: https://sts.local.lan/adfs/services/trust"
: *3 shib request authorizer copied header: "Shib-Session-ID: _4c17973813a257c94b21c7289995784a"
: *3 shib request authorizer copied header: "eppn: john.doe@local.lan"
: *3 fastcgi param: "PATH_INFO: /shib-login/"
: *3 http script copy: "HTTPS"
: *3 http script copy: "on"
: *3 fastcgi param: "HTTPS: on"
: *3 http script copy: "HTTP_SCHEME"
: *3 http script copy: "https"
: *3 fastcgi param: "HTTP_SCHEME: https"
: *3 http script copy: "SERVER_PROTOCOL"
: *3 http script var: "HTTP/1.1"
: *3 fastcgi param: "SERVER_PROTOCOL: HTTP/1.1"
: *3 http script copy: "QUERY_STRING"
: *3 http script var: "next=/home/my/"
: *3 fastcgi param: "QUERY_STRING: next=/home/my/"
: *3 http script copy: "REQUEST_METHOD"
: *3 http script var: "GET"
: *3 fastcgi param: "REQUEST_METHOD: GET"
: *3 http script copy: "CONTENT_TYPE"
: *3 fastcgi param: "CONTENT_TYPE: "
: *3 http script copy: "CONTENT_LENGTH"
: *3 fastcgi param: "CONTENT_LENGTH: "
: *3 http script copy: "SERVER_ADDR"
: *3 http script var: "192.168.231.224"
: *3 fastcgi param: "SERVER_ADDR: 192.168.231.224"
: *3 http script copy: "SERVER_PORT"
: *3 http script var: "443"
: *3 fastcgi param: "SERVER_PORT: 443"
: *3 http script copy: "SERVER_NAME"
: *3 http script var: "seafile.local.lan"
: *3 fastcgi param: "SERVER_NAME: seafile.local.lan"
: *3 http script copy: "REMOTE_ADDR"
: *3 http script var: "192.168.230.1"
: *3 fastcgi param: "REMOTE_ADDR: 192.168.230.1"
: *3 http script copy: "CLIENT_CERTIFICATE"
: *3 fastcgi param: "CLIENT_CERTIFICATE: "
: *3 http script copy: ""                               <=====8=== IS EMPTY!
: *3 fastcgi param: "HTTP_HOST: seafile.local.lan"
: *3 fastcgi param: "HTTP_CONNECTION: keep-alive"
: *3 fastcgi param: "HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
: *3 fastcgi param: "HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36"
: *3 fastcgi param: "HTTP_DNT: 1"
: *3 fastcgi param: "HTTP_REFERER: https://seafile.local.lan/accounts/login/?next=/home/my/"
: *3 fastcgi param: "HTTP_ACCEPT_ENCODING: gzip, deflate, sdch"
: *3 fastcgi param: "HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8,ru;q=0.6"
: *3 fastcgi param: "HTTP_COOKIE: _shibsession_64656661756c7468747470733a2f2f626f782e6b6173706572736b792e636f6d2f736869622d6c6f67696e2f=_4c17973813a257c94b21c7289995784a; seahub_auth="john.doe@local.lan@74ff75de607924e25c2cc781536ead324f1a4686"; csrftoken=56tYHbERpghhXplnJAwUVr9DMd5wKzL3; sessionid=g6i8v2hd4qy0ftzfsguosdm5wk6kw2n8"
: *3 fastcgi param: "HTTP_AUTH_TYPE: shibboleth"
: *3 fastcgi param: "HTTP_REMOTE_USER: john.doe@local.lan"
: *3 fastcgi param: "HTTP_SHIB_APPLICATION_ID: default"
: *3 fastcgi param: "HTTP_SHIB_AUTHENTICATION_INSTANT: 2015-06-10T08:01:42.467Z"
: *3 fastcgi param: "HTTP_SHIB_AUTHENTICATION_METHOD: urn:federation:authentication:windows"
: *3 fastcgi param: "HTTP_SHIB_AUTHNCONTEXT_CLASS: urn:federation:authentication:windows"
: *3 fastcgi param: "HTTP_SHIB_IDENTITY_PROVIDER: https://sts.local.lan/adfs/services/trust"
: *3 fastcgi param: "HTTP_SHIB_SESSION_ID: _4c17973813a257c94b21c7289995784a"
: *3 fastcgi param: "HTTP_EPPN: john.doe@local.lan"
: *3 http cleanup add: 0000000001EDFA00
: *3 get rr peer, try: 1
: *3 socket 20
: *3 epoll add connection: fd:20 ev:80002005
: *3 connect to 127.0.0.1:8000, fd:20 #9
: *3 http upstream connect: -2
: *3 posix_memalign: 0000000001EEB480:128 @16
: *3 event timer add: 20: 60000:1433934912565
: *3 http finalize request: -4, "/shib-login/?next=/home/my/" a:1, c:2
: *3 http request count:2 blk:0

Here are the cut of my nginx configuration:

server {
            listen      443 default_server;
            server_name local.lan www.local.lan;

            ssl on;
            ...
            ...
            ...

            location = /shibauthorizer {
                internal;
                include         /etc/nginx/fastcgi_params;
                fastcgi_pass    unix:/opt/shibboleth/shibauthorizer.sock;
            }

            location /Shibboleth.sso {
                include         /etc/nginx/fastcgi_params;
                fastcgi_pass    unix:/opt/shibboleth/shibresponder.sock;
            }

            location = /shib-login/ { # Shibboleth handled location
                more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Http-Eppn' 'HTTP_EPPN' 'Http-Remote-User' 'HTTP_REMOTE_USER';
                shib_request /shibauthorizer;

                fastcgi_pass    127.0.0.1:8000;
                fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
                fastcgi_param   PATH_INFO           $fastcgi_script_name;

                fastcgi_param   HTTPS               on;
                fastcgi_param   HTTP_SCHEME         https;
                fastcgi_param   SERVER_PROTOCOL     $server_protocol;
                fastcgi_param   QUERY_STRING        $query_string;
                fastcgi_param   REQUEST_METHOD      $request_method;
                fastcgi_param   CONTENT_TYPE        $content_type;
                fastcgi_param   CONTENT_LENGTH      $content_length;
                fastcgi_param   SERVER_ADDR         $server_addr;
                fastcgi_param   SERVER_PORT         $server_port;
                fastcgi_param   SERVER_NAME         $server_name;
                fastcgi_param   REMOTE_ADDR         $remote_addr;
                fastcgi_param   CLIENT_CERTIFICATE  $ssl_client_cert;
                fastcgi_param   REMOTE_USER         $http_remote_user if_not_empty;
            }
    }

davidjb commented 9 years ago

I use proxy_pass-based backends (listening for headers) so I've not tested a fastcgi_pass backend before with params before. At an educated guess, I would try adjusting the line:

                fastcgi_param   REMOTE_USER         $http_remote_user if_not_empty;

to

                fastcgi_param   REMOTE_USER         $upstream_http_variable_remote_user if_not_empty;

as the Shibboleth authorizer should be returning Variable-REMOTE_USER headers & populating this variable.

There may be some sort of race condition whereby the original $http_remote_user variable isn't (always) populated/overwritten when the variables get copied out of the upstream Shibboleth authorizer request. It's been a while since I wrote the code, but I recall seeing something mentioned about issues like this might arise when manipulating headers inside Nginx, which is what the nginx-shib module is doing.

steverweber commented 9 years ago

@rabb1t did this solve the issue?

rabb1t commented 9 years ago

Hello, The problem is still persist unfortunately. But it is not related to nginx-http-shibboleth module at all.

It seems that the problem is in our frontend part. When the user logs out (from the web site in our case), the frontend doesn't call the shibboleth module to start the 'Logout' procedure and the session cache are still exist.

nginx-shib / nginx-http-shibboleth

Occasionally authorization is not granted #5