[英]Azure App Service authentication behind a reverse-proxy
I'm working with Authentication in Azure App Service, AKA "Easy Authentication" https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview 我正在使用Azure应用服务中的身份验证,也称为“轻松身份验证” https://docs.microsoft.com/zh-cn/azure/app-service/app-service-authentication-overview
It works fine if I browse my azure web-site using it's Azure name: [myid].azurewebsites.net But if place my web-site behind a reverse proxy, after authentication, I'm always redirected to [myid].azurewebsites.net instead of www.[mydomain].com. 如果我使用Azure名称浏览我的azure网站,则效果很好:[myid] .azurewebsites.net但是,如果将我的网站放在反向代理后面,则在身份验证之后,我总是会重定向到[myid] .azurewebsites。网络,而不是www。[mydomain] .com。 The reverse proxy is correctly configured to serve my pages and all work fine without authentication.
反向代理已正确配置为服务我的页面,并且无需身份验证即可正常工作。
I think that the root cause is how the redirect_uri parameter is built by "Easy Authentication". 我认为根本原因是“简易身份验证”如何构建redirect_uri参数。 Using Chrome F12 I noticed that during the initial redirect to authentication service, the browser url is built using [myid].azurewebsites.net instead of www.[mydomain].com.
使用Chrome F12,我注意到在最初重定向到身份验证服务期间,使用[myid] .azurewebsites.net而非www。[mydomain] .com构建了浏览器URL。
https://login.windows.net/034...51/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmyid.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback& ...... https://login.windows.net/034...51/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmyid.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback& ..... 。
I can't find a way to instruct/force "Easy Authentication" to use www.[mydomain].com 我找不到指示/强制“轻松身份验证”使用www。[mydomain] .com的方法
Any suggestions or idea? 有什么建议或想法吗?
--- update --- -更新-
I use Nginx as reverse-proxy. 我使用Nginx作为反向代理。 The relevant fragment of the configuration file (redacted):
配置文件的相关片段(已编辑):
server {
server_name www.mydomain.com;
listen 80;
listen 443 ssl;
...
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Host $host;
proxy_pass https://myid.azurewebsites.net/;
}
}
We need to include an extra parameter to instruct where the process should redirect to after successful authentication. 我们需要包括一个额外的参数,以指示成功认证后该过程应重定向到何处。 We can do this with the 'post_login_redirect_uri' parameter.
我们可以使用“ post_login_redirect_uri”参数来实现。 Without this, the process will redirect to a default 'Authentication Successful' page with a link to go back to the site.
否则,该过程将重定向到默认的“身份验证成功”页面,并带有一个可返回到该站点的链接。
For more details, refer to this document: https://weblogs.asp.net/pglavich/easy-auth-app-service-authentication-using-multiple-providers . 有关更多详细信息,请参阅此文档: https : //weblogs.asp.net/pglavich/easy-auth-app-service-authentication-using-multiple-providers 。
According to your description, I used URL Rewrite and Azure Functions Proxies as my reverse-proxy to test this issue, I found that I could encounter the same issue as you mentioned. 根据您的描述,我使用URL重写和Azure函数代理作为我的反向代理来测试此问题,我发现我可能遇到与您提到的相同的问题。 I also tried to compare
Headers
、 ServerVariables
between accessing via reverse-proxy and directly accessing, and tried to override the related headers to narrow this issue, but failed in the end. 我还尝试比较通过反向代理访问和直接访问之间的
Headers
, ServerVariables
,并尝试覆盖相关的Header以缩小此问题,但最终失败了。 I assumed that since we are using the build-in App Service Authentication / Authorization, we could not override the generating for the redirect_uri
parameter. 我假设由于我们正在使用内置的App Service身份验证/授权,因此无法覆盖
redirect_uri
参数的生成。
Per my understanding, you could set the additional header(s) under your reverse-proxy, then build the authentication / Authorization in your application to pick up the additional header for generating the redirect_uri
and redirect user to the related authorize endpoint. 根据我的理解,您可以在反向代理下设置其他头,然后在应用程序中构建身份验证/授权,以选择其他头来生成
redirect_uri
并将用户重定向到相关的授权端点。 Or you could use Traffic Manager for Load Balancer, and you could follow this issue . 或者,您可以将Traffic Manager用于负载均衡器,然后可以解决此问题 。 Additionally, if you just want to customize your azure web app domain, you could follow here .
此外,如果您只想自定义Azure Web应用程序域,则可以按照此处进行操作 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.