cannot access rabbitmq management interface if use nginx basic auth.

[NP]

Hello,

I am trying to configure rabbitmq management interface to be accesed using basic auth from an NGINX vhost, if basic auth is turned off i have no problem accesing the management interface via web.

But configuring nginx to use basic auth, i am asked with User name and password, after providing those, a new dialog box ask again for this information in a loop. 

This is nginx vhost:

  location / {

    proxy_pass              http://rabbitmq;

    proxy_set_header        Host $host;

    proxy_set_header        X-Real-IP $remote_addr;

    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout   150;

    proxy_send_timeout      100;

    proxy_read_timeout      100;

    proxy_buffers           4 32k;

    client_max_body_size    8m;

    client_body_buffer_size 128k;

    proxy_set_header   Authorization "";

    auth_basic "Restricted";

    auth_basic_user_file /etc/nginx/htpasswd;

  }

I have tried with and without the proxy_set_header   Authorization ""; 

also place the auth_basic config on the server section.

This is what i see in access_log:

X.X.X.X - admin [05/Jun/2017:16:36:45 -0500] "GET /api/whoami HTTP/1.1" 401 590 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

201.131.116.249 - admin [05/Jun/2017:16:39:42 -0500] "GET /api/whoami HTTP/1.1" 401 590 "http://rabbit.mediotiempo.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - - [05/Jun/2017:16:39:44 -0500] "GET /img/rabbitmqlogo.png HTTP/1.1" 401 590 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - admin [05/Jun/2017:16:39:52 -0500] "GET /api/whoami HTTP/1.1" 401 590 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

This is error_log:

2017/06/05 16:39:52 [error] 17997#0: *35934 user "admin" was not found in "/etc/nginx/htpasswd", client: X.X.X.X, server: X.Y.Z, request: "GET /api/whoami HTTP/1.1", host: "X.Y.Z", referrer: "http://X.Y.Z/"

I am using basic auth with a user different than admin.

rabbitmq version 3.5.7

Has anyone configured rabbitmq with nginx basic auth??

Thank you.

[Michael Klishin]

Your location sets the Authorization header to a blank string.

That is telling RabbitMQ "the credentials provided for this request is a blank string".

When you leave the proxy_set_header out entirely, I suspect the header is not included

in the upstream request at all, so it has to be propagated.

proxy_set_header can access client's request headers via a varaible:

http://nginx.org/en/docs/http/ngx_http_core_module.html#variables

so,

proxy_set_header   Authorization $http_authorization;

should propagate the header. It's fairly easy to verify using tcpdump

to capture traffic between Nginx and RabbitMQ and then inspect it in Wireshark:

https://www.rabbitmq.com/amqp-wireshark.html.

It's usually a good idea to make sure requests that involve basic HTTP auth

or other sensitive headers aren't cached:

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_no_cache

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[NP]

Thanks for your answer Michael,

I have set proxy_set_header   Authorization $http_authorization;        into nginx configuration

I am getting the same behaviour, but now i see this in the nginx access_log:

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/json2.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/base64.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/global.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/main.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/prefs.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/help.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

X.X.X.X - user-rabbitmq [06/Jun/2017:11:17:46 -0500] "GET /js/formatters.js HTTP/1.1" 304 0 "http://X.Y.Z/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"

304 not modified.... 

I just want to set nginx basic auth, and then rabbitmq management interface do his own auth. 

Also set    proxy_no_cache  $http_authorization;

nginx basic auth should be entered every time a user ask for http://X.Y.Z 

Thank you!

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

This is getting into the Nginx territory and asset caching.

Perhaps the easiest option is to set aside a location for RabbitMQ HTTP API/management UI

and proxy it without basic HTTP auth enabled in Nginx (for that location only).

This way Nginx will use basic HTTP auth for everything but a dedicated path for RabbitMQ.

All HTTP API resources and assets are at /api/*.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[NP]

Hello Michael,

Thanks for your reply. 

I wanted to add an extra layer of protection to rabbitmq management interface by adding a basic auth on top of rabbitmq auth. It is just a vhost to access rabbitmq.

I will check nginx cache if something can be done on that side.  Thank you.

[Michael Klishin]

If you use the same credentials with basic HTTP auth, is it really more secure?

If you use two sets of credentials, management UI won't work as it is only aware of

one set (the one you log in with).

[NP]

Is it possible to configure rabbitmq not use the same credentials that you use for basic auth?

[Michael Klishin]

No, it's not. HTTP API currently relies on basic HTTP auth header for authentication.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.