Skip to content

Add authenticated reverse proxy mechanism #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 10, 2017
Merged

Add authenticated reverse proxy mechanism #533

merged 6 commits into from
Aug 10, 2017

Conversation

@RubenVerborgh
Copy link
Contributor

@RubenVerborgh RubenVerborgh commented Aug 10, 2017

This pull request allows Solid server to act as a reverse proxy for backends, to which it passes authentication information (user and host).

This feature can be configured as follows:

{
  "authProxy": {
    "/my/path": "http://localhost:2345/app"
  }
}

With the above configuration, a request to https://ruben.solid.server/my/path/to/something?x=y will be proxied to http://localhost:2345/app/to/something?x=y. The User header on the proxy request will be set to the currently logged-in user (or empty if none), and the Forwarded header will be set to host=ruben.solid.server. This enables the proxied server to serve content from that user on this specific host.

Other changes

In order to avoid confusion between the existing CORS proxy and new auth proxies, the proxy parameter has been deprecated and renamed to corsProxy.

Security considerations

Problem: Anyone can pretend to be authenticated by sending a request with the User and Forwarded headers to the proxied server directly (instead of going through the Solid server).

Possible mitigations:

  • The proxied server should only trust the User and Forwarded headers if they are received through the Solid server.
  • It is advised that the proxied server not be publicly visible, but instead only in the Solid server's own network.

@dmitrizagidulin
Copy link
Contributor

dmitrizagidulin commented Aug 10, 2017

The proxied server should only trust the User and Forwarded headers if they are received through the Solid server.

Is this meant on the network/firewall level? (As in, only solid server will be able to access the internal port that will be closed to the outside?)

Or are there other mechanisms we can use to have solid-server authenticate itself to the proxied service?

dmitrizagidulin
dmitrizagidulin reviewed Aug 10, 2017
View reviewed changes
lib/create-app.js
// Add CORS proxy
if (argv.proxy) {
proxy(app, argv.proxy)
console.error('The proxy configuration option has been renamed to corsProxy.')
Copy link
Contributor

@dmitrizagidulin dmitrizagidulin Aug 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice :)

@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Aug 10, 2017
edited
Loading

Is this meant on the network/firewall level? (As in, only solid server will be able to access the internal port that will be closed to the outside?)

Indeed, on a network/firewall level. This is usually the case for reverse-proxied servers: they live in a private network, and the reverse proxy is their trusted gateway to the outside world.

Or are there other mechanisms we can use to have solid-server authenticate itself to the proxied service

There are; we could apply encryption etc. However, this would complicate things on both our side and the reverse proxy side—I think the most straightforward option is that the reverse proxy checks whether the Solid server initiated the connection (or that it is simply not accessible by other servers in the first place).

@RubenVerborgh RubenVerborgh added this to the 4.0.0 milestone Aug 10, 2017
dmitrizagidulin
dmitrizagidulin approved these changes Aug 10, 2017
View reviewed changes
Copy link
Contributor

@dmitrizagidulin dmitrizagidulin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good; nice work on this.
Let's add the new config params to the CHANGELOG section so we dont forget in the future, and it'll be ready to go.

RubenVerborgh added a commit that referenced this pull request Aug 10, 2017
@RubenVerborgh
Add CHANGELOG entry for authProxy (#533).
cc01201
@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Aug 10, 2017

CHANGELOG entry prepared in #534.

@dmitrizagidulin dmitrizagidulin merged commit 822d58c into dz_oidc Aug 10, 2017
@dmitrizagidulin dmitrizagidulin deleted the feature/authproxy branch August 10, 2017 19:06
RubenVerborgh added a commit that referenced this pull request Sep 3, 2017
@RubenVerborgh
Add CHANGELOG entry for authProxy (#533).
89ccbda
@AH7 AH7 mentioned this pull request Nov 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dmitrizagidulin dmitrizagidulin dmitrizagidulin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dmitrizagidulin dmitrizagidulin

Labels

enhancement ready for review

Projects

None yet

Milestone

4.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@RubenVerborgh @dmitrizagidulin