search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Not getting shibboleth redirect #56

Closed max1c closed 6 months ago

max1c commented 6 months ago

I have successfully setup this module. It's working with latest and stable nginx. However, I'm not getting redirected correctly. When I visit the page it goes directly to the site instead of re-directing to shibboleth login. The /Shibboleth.sso/Login and other pages work as intended and after login re-directs back to the site. I suspect this is an issue with nginx sites-available configuration. Any help with this would be greatly appreciated.

Config for my Django app:

server {
    listen              80;
    listen              443 ssl;
    server_name         my.site.com;
    ssl_certificate     /etc/ssl/certs/fullchain.crt;
    ssl_certificate_key /etc/ssl/private/cert.key;

    location = /shibauthorizer {
      internal;
      include fastcgi_params;
      fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
    }

    location /Shibboleth.sso {
      include fastcgi_params;
      fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
    }

    location / {
      shib_request /shibauthorizer;
      shib_request_use_headers on;
      shib_request_set $shib_remote_user $upstream_http_variable_uid;
      proxy_pass http://127.0.0.1:8000/;
    }
}
davidjb commented 6 months ago

If you’re not seeing a redirect on visiting / or some path underneath it, then you need to look at your shibboleth2.xml configuration. That’s the most likely culprit with what you’re describing. Go through the documentation at https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst and particularly ensure that your shibboleth2.xml RequestMapper is set up to requireSession=“true” on the correct host & path(s).

Also, your configuration in Nginx is invalid and mixing paradigms - using headers insecurely (making your backend app vulnerable to header injection) and setting Nginx variables internally that aren’t used. You’ll want to pick one or the other, see https://github.com/nginx-shib/nginx-http-shibboleth#configuration and if using headers, especially pay attention to clearing the client headers so your backend can’t be hacked. If feasible, switch to a non-header based approach - with FastCGI, for instance.

There’s further debugging info down the bottom of the main README at https://github.com/nginx-shib/nginx-http-shibboleth#debugging which may help you in determining the issue.

I’m going to close this as it appears to be a configuration issue rather than a bug but if you do determine there’s a bug in the module, please create another issue. Others can still comment to assist you further through.