oauth2 Nginx proxy problem (https->http)
-
When deploying user authentication to the official environment of the system recently, there was a problem logging in. In the local development environment, everything is normal, but a server would put authentication fails, review the log found
OAuth2
theredirectUri
parameters do not match -
The understanding is through springboot through
UrlUtils.buildFullRequestUrl(request)
theHttpServletRequest
acquisition ofredirectUri
:
OAuth2LoginAuthenticationFilter
String redirectUri = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replaceQuery(null)
.build()
.toUriString();
- Configure the server
nginx
as a reverse proxy server, which results inSpring
, you can not get correctscheme
andhost
, which led toredirectUri
not match correctly so that authentication has failed.
Solve the problem
1: First, https forwarding proxy http protocol, to support cross-domain, and set the springboot Tomcat protocol-header-https-value: "https" is https
**Nginx **
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Tomcat
- 1. If it is Tomcat embedded in springboot, application.yml must be configured with the following parameters
server:
tomcat:
remote-ip-header: "X-Forwarded-For"
protocol-header: "X-Forwarded-Proto"
protocol-header-https-value: "https
- 2. If it is Tomcat, just configure the following parameters
<Engine >
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
</Engine >
What solved it? Of course, pay attention to the last step. ,
Just pay attention to the prefix of the Nginx proxy: for example, I am https://craywen.top/pms
When proxying to http://127.0.0.1:8099 through pms nginx matching route (^~ /pms)
Pay attention to this, after the code redirectUri
will bring pms, there are two solutions
1: Configure the redirect url in Nginx
rewrite ^/user/(.*)$ /$1 break;
proxy_pass http://user;
2: Add /pms to the whitelist of oauth2
- Refer to https://www.jianshu.com/p/cf0056c64fa4