我已使用AD在SSO中正确配置了我的Web服务器。 因此,如果用户直接访问服务器apps.acme.local(192.168.10.1)SPNEGO运行良好。
现在我添加了前端NGINX(带有群集配置),配置非常简单,并在DNS中将apps.acme.local的IP更改为IP NGINX 这样apps.acme.local为192.168.10.3:
upstream apps {
server 192.168.10.1:80 max_fails=1 fail_timeout=5s;
server 192.168.10.2:80 backup;
}
server {
listen 80;
server_name apps.acme.local;
client_max_body_size 100m;
access_log /var/log/nginx/apps_acme_local_access.log main;
error_log /var/log/nginx/apps_acme_local_error.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://apps;
}
}
SPNEGO没有工作......错误401显示。 在我的网络服务器中apps.acme.local在正常配置中转到192.168.10.1我看到了:
SPNEGO> Starting SPNEGO Negotiate - a properly configured HTTP client should send an Authorization: Negotiate header containing SPNEGO token when repeating the request /apps/mainpage.html
SPNEGO> Security token format received is SPNEGO NegTokenInit
SPNEGO> SSPI security attributes received 0x20802, but requested 0x20014
SPNEGO> User dgrillo@acme.local authenticated by Kerberos service HTTP/apps.acme.local@acme.local
当我使用NGINX时,我只看到这一点而忽略了其他阶段:
SPNEGO> Starting SPNEGO Negotiate - a properly configured HTTP client should send an Authorization: Negotiate header containing SPNEGO token when repeating the request /apps/mainpage.html
有什么想法吗? NGINX缺少什么?
我一直认为是透明的