0

Using Nginx as reverse proxy, authentication with facebook is not working as it should.

My proxy_pass is set to origin.example.com and main site is at main.example.com.

proxy_pass https://origin.example.com;
proxy_ssl_server_name on;
proxy_set_header Connection "";
proxy_set_header Host origin.example.com;
proxy_http_version 1.1; 
proxy_set_header   Upgrade $http_upgrade; 
proxy_set_header   Connection keep-alive; 
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

Redirection for facebook login happen using Location header which I want to modify and I found that it can be done using proxy_redirect. However, I am not getting an idea how to do that.

I have already used redirect URI main.example.com in Facebook. And I did already requested another change in origin app to make this change, however its not in our control and have to manage this by modifying this header value from nginx only.

Specifically, I want to modify this header value

https://www.facebook.com/v3.1/dialog/oauth?client_id=249911186056401&scope=email&response_type=code&redirect_uri=https%3A%2F%2F**origin.example.com**%2Fsignin-facebook&state=CfDJ8FXKlLU-VLlFryQdHqtwILDwFpBxeh1ZlS5hy7drEOaXtmdjBd8T8m4oyy7LvYttb8Ryyb894ZgCUGPINPQX_jWt-s1J2ZwtJirchyAWfsXXtqC69PYLxJNf84fbK_bXLrpd0eFE7Z0LAwq98gp-54lUwv3rZPNLZ4Jw1q3-3yjjFGTgAvJCDSgiTTxvIpY8E-3WlTlNPMfiFv4USoXHfYeKJaQ52EAAMdhA3dlAoALVsUkOl-0lNUjCP4xa4ZKcRuL1wJI1Gbk7Fg7Nyxzgqu4

to

https://www.facebook.com/v3.1/dialog/oauth?client_id=249911186056401&scope=email&response_type=code&redirect_uri=https%3A%2F%2F**main.example.com**%2Fsignin-facebook&state=CfDJ8FXKlLU-VLlFryQdHqtwILDwFpBxeh1ZlS5hy7drEOaXtmdjBd8T8m4oyy7LvYttb8Ryyb894ZgCUGPINPQX_jWt-s1J2ZwtJirchyAWfsXXtqC69PYLxJNf84fbK_bXLrpd0eFE7Z0LAwq98gp-54lUwv3rZPNLZ4Jw1q3-3yjjFGTgAvJCDSgiTTxvIpY8E-3WlTlNPMfiFv4USoXHfYeKJaQ52EAAMdhA3dlAoALVsUkOl-0lNUjCP4xa4ZKcRuL1wJI1Gbk7Fg7Nyxzgqu4

I want to replace all instances of origin.example.com to main.example.com in Location header.

Here is my server block configurations

server {
  listen [::]:80;
  listen 80;
  server_name main.example.com;
  return 301 https://www.$host$request_uri;
  
}

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name main.example.com;
  proxy_set_header Accept-Encoding "";
  sub_filter_types *;
  sub_filter_once off;
  sub_filter "http:" "https:";
  include https.conf;

}
Improve this question
2
  • Can you add an example of the NGINX config, just to be sure what you're after? Maybe a small diagram if it's not too much trouble? Commented Aug 29, 2020 at 12:55
  • @TravisSpencer Thanks, Added the same. I hope this is helpful to understand. Commented Aug 29, 2020 at 13:06

1 Answer 1

Reset to default
0

You should reconfigure the OAuth client in Facebook to use a redirect URI of https://main.example.com. In the actual app, do not send https://origin.example.com when performing the OAuth authorization request, but use this one that Facebook is reconfigured to use. This will ensure that Facebook accepts the request, and will effectively hide the origin server. After login and authorization, Facebook will send the callback response to the NGINX proxy, which it can pass through to the hidden origin server.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I already did used redirect URI main.example.com in Facebook. And I did already requested another change in origin app to make this change, however its not in our control and have to manage this by modifying this header value from nginx only. So I am out of options. I appreciate your help on how to do this from nginx?
You should state that restriction in your question. Solving that will be tricky. Does the app start the login process by some JavaScript click handler in the code that passes through NGINX or does it perform a redirect that NGINX can clearly see?
Login does work by passing through redirect NGINX that it can clearly see.
Hi, Is there a way we can use some kind of script or programming here to modify this?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.