Authentication for an app behind reverse proxy

Theom2 · May 20, 2022, 10:29am

Hi,

I’ve been successfully using a custom OAuth provider for my panel app. However I’m now working on a new production environment where my app is behind a reverse proxy so that users can access the app on standard ports.

I followed the bokeh docs on setting up a reverse proxy with apache and it works well. But now I’m stuck when it comes to adding authentication. When typing http://address/myapp, the url becomes http://address/login?next=%2Fmyapp and yields a Not Found page. I’ve tried various ProxyPassMatch patterns to try to pass the url parameters correctly, to no avail.

Does anyone have any experience on this, be it with apache or nginx?

Theom2 · May 25, 2022, 10:35am

Here is a config that works. However, I also had to modify the auth.py module in Panel (see issue).

ProxyPass /myapp/ws ws://127.0.0.1:5006/myapp/ws
ProxyPassReverse /myapp/ws ws://127.0.0.1:5006/myapp/ws

ProxyPass /myapp/static http://127.0.0.1:5006/static
ProxyPassReverse /myapp/static http://127.0.0.1:5006/static

ProxyPassMatch /myapp/(.*)$ http://127.0.0.1:5006/myapp/$1
ProxyPassReverse /myapp/(.*)$ http://127.0.0.1:5006/myapp/$1

Redirect /myapp /myapp/
Require all granted Options -Indexes
Alias /static /path/to/bokeh/server/static
<Directory /path/to/bokeh/server/static>
Options +Indexes

Andre · June 11, 2022, 7:28pm

@Theom2

I also use would like to use azure oauth and then reverse proxy with nginx. Trying to follow along with what you are adding on your nginx config. Where do i need to plug the above into?

http {
upstream frontends {
least_conn;
keepalive_timeout 180s;
keepalive_requests 100;
#keepalive 10;
server 127.0.0.1:5100;
server 127.0.0.1:5101;
server 127.0.0.1:5102;
server 127.0.0.1:5103;
server 127.0.0.1:5104;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout 900;
types_hash_max_size 2048;
#include C:/Users/smaurice/AppData/Local/Programs/Python/Python35/Lib/site-packages/bokeh/server/static/;
include C:/Users/myuser/AppData/Local/ESRI/conda/envs/arcgispro-py3-pyviz/lib/site-packages/bokeh/server/static;

default_type application/octet-stream;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css application/json;
open_file_cache max=10000 inactive=10m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
ignore_invalid_headers on;
client_max_body_size 8m;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;

server {
#listen
listen 443 ssl;
ssl_certificate ./ssl/certificate.pem;
ssl_certificate_key ./ssl/private.key;
server_name _;

access_log ./logs/access.log;
error_log ./logs/error.log debug;

location / {
    proxy_pass http://frontends;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host:$server_port;
    proxy_buffering off;
proxy_connect_timeout 7d; 
    proxy_send_timeout 7d; 
    proxy_read_timeout 7d; 
}

}

Andre · June 11, 2022, 9:47pm

Soooo… my error was not with source code. Azure auth redirect to reverse proxy requires adding to nginx config

proxy_buffers 8 16k;
proxy_buffer_size 32k;