On Fri, Dec 03, 2021 at 12:57:06PM -0500, agomes wrote:

Hi there,

It looks like your /pwm/public/forgottenpassword page wants lots of
content from /pwm/public/resources.

I expect that you still do not want to publish /pwm/private/login.

If you are happy to expose all of /pwm/public/, and you are happy for
the users to see the /pwm/public/ urls in their browser, then it might be
easier to proxy_pass /pwm/public/ to /pwm/public/, and to redirect the short
"reset password" url that you want to advertise, to the longer one.

That could be something like

location = /app {
return 301 /pwm/public/forgottenpassword;
}
location /pwm/public/ {
proxy_pass https://myappp;
}

If you need "proxy_set_header Host $host;", then add it; you may not need
a proxy_redirect depending on what the internal server actually returns.

If you have other "location ~" parts in your nginx config, you should
consider using "location ^~ /pwm/public/" for the second one instead.

> Error
> Password Self Service PWM
> Error
>
> PWM 5025
>
>
> Maximum login attempts for this session have been exceeded. Try again
> later.

I suspect that that will be related to the cookie thing -- the login
probably wants the confirmation cookie, but because the pwm service
tells the browser to only return the cookie to requests below /pwm,
and the browser is requesting /app, the browser is not sending the cookie.

With the new suggested config, the browser will be requesting things
below /pwm, and should send the cookie.

If the /pwm application considers "session" to be "source IP", then
when it is reverse-proxied, it will see all traffic from the one IP
address,which might confuse it.

> [03/Dec/2021:17:54:28 +0000] "x.x.x.x" "GET /app/ HTTP/1.1" 200 104 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.41" "x.x.x.x:8443"
> 0.007 0.008 "0.88"

That is: a request to /app/ got a small http 200 response.

But then the next request is browser requesting /pwm, with a Referer of
/app/ -- it might be interesting to see why that was. Maybe you need to
publish more than just /pwm/public?

(Actually: I suspect that in this case, the "/app/" request was
direct to the internal server, which possibly is configured to return
a javascript redirect to "/pwm" for anything unknown. So a better
test, going direct to the internal server, would be too start with
/pwm/public/forgottenpassword. But maybe it won't be needed, if the new
suggested config Just Works.)

> [03/Dec/2021:17:54:28 +0000] "x.x.x.x" "GET /pwm HTTP/1.1" 302 5
> "x.x.x.x/app/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.41"
> "x.x.x.x:8443" 0.005 0.004 "-"

"/pwm" redirected to "/pwm/".

> [03/Dec/2021:17:54:28 +0000] "x.x.x.x" "GET /pwm/ HTTP/1.1" 200 1430
> "x.x.x.x/app/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.41"
> "x.x.x.x:8443" 0.011 0.008 "-"

And "/pwm/" had lots of content below "/pwm/public/":

> [03/Dec/2021:17:54:28 +0000] "x.x.x.x" "GET
> /pwm/public/resources/nonce-135vkyu/pwm-icons.css HTTP/1.1" 200 1549
> "x.x.x.x/pwm/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.41"
> "x.x.x.x:8443" 0.005 0.004 "2.63"
....


Hopefully that will get you closer to where you want to be.

Good luck with it!

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx