Configure Request Header Authentication in Nexus with IISRSS

7 replies

Last post Nov 14, 2016 07:22 AM by Yuk Ding

  • Configure Request Header Authentication in Nexus with IIS

    Nov 07, 2016 10:31 AM|Mario Majcica|LINK

    Hi all,

    I would like to configure my IIS instance to work as a reverse proxy. It should handle the authentication and proxy the calls to the instance of Nexus with in addition of a header which will contain the authenticated username. This technique is described here at Sonatype documentioion site http://books.sonatype.com/nexus-book/3.0/reference/security.html#remote-user-token

    I tried several things in guides I found on Google in regard to IIS and reverse proxy, using ARR and URL Rewrite module. However I was unsuccessful. Achieving the desired in Apache is quite simple, thus I would expect it should be as simple in IIS. A guide on how to set it up in Apache is here, https://support.sonatype.com/hc/en-us/articles/214942368-How-to-Configure-Request-Header-Authentication-in-Nexus-with-Apache. I also tried setting up Apache and it works as expected.

    Is there anyone who can indicate me the right path in order to setup my IIS to achieve the same?

    Thanks

  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 08, 2016 03:16 AM|Yuk Ding|LINK

    Hi Mario,

    Considering it is a third-party feature, I'm sorry that I can't test configuring nexus with IIS on my side. By referring the support page https://support.sonatype.com/hc/en-us, there seems no evidence that the nexus will support IIS. You could try to ask their vendor whether the nexus could be used with IIS.

    Maybe you could try to use form authentication and your own code to authenticate the request header.

    This link provide the instruction to build asp.net form authentication:

    https://www.asp.net/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 08, 2016 07:14 AM|Mario Majcica|LINK

    Dear Yuk,

    There is nothing to be supported. The only thing is that IIS should work as a revers proxy which handles the authentication and in process forwards the name of the authenticated user in a request header.

    I maybe should be more specific about my question, which I may formulate in the following way.

    How to setup IIS ARR or a URL Rewrite module (not sure about the precise module that will handle it) in order to route all of the request to IIS on the same server, to route all of the requests from the port 80, to port 8081?

    During the routing a header to the request should be added and should contain the name of the user that IIS authenticated during the initial request.

    Any tips about on how to achieve this?

    Thanks

  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 08, 2016 09:56 AM|Yuk Ding|LINK

    Hi Mario,

    If you just want to map the port 80 to port 8081, one inbound rule is enough. You could use <match url="(.*)" /> to capture all the request and set the redirect action like <action type="Redirect" url="http://localhost:8081/{R:1}"  appendQueryString="false" redirectType="Temporary"/>.

    This link provide a instruction to configure reverser proxy with ARR and URL rewrite rule:

    https://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 08, 2016 10:24 AM|Mario Majcica|LINK

    Hi Yuk,

    and that's fine, I was able to find blog posts and guides about it. How to add an additional header value set by IIS to a call made to the 8081 instance in which I would set the name of the authenticated user?

    Thanks

  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 09, 2016 08:26 AM|Yuk Ding|LINK

    Hi Mario,

    Request header or response header?

    Based on my understanding, IIS could not add the custom request header without any web application. If you need to add custom request header maybe, this link could be a sample code:

    https://forums.asp.net/t/979853.aspx?How+do+I+add+custom+headers+to+a+request+ASP+Net+2+0+

    Besides, if you want to add a response header. Outbound rule will be available:

    https://www.iis.net/learn/extensions/url-rewrite-module/modifying-http-response-headers

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 10, 2016 10:32 AM|Mario Majcica|LINK

    Hi Yuk,

    I am a bit confused. Let's see if I understood. Client browser makes the initial request towards my IIS hosted site that acts as proxy at port 80. IIS handles the authentication and if successful, then IIS forwards this request towards another webserver (Jetty) running on the same machine on the port 8081. At this moment IIS should add another header in the request he is making to the service on 8081. Header should contain the name of the previously authenticated user. Then the service running on 8081 sends a replay to IIS, which should rewrite URL's in the response and send the response to the client that originated the request. What are the necessary parts to be configured on IIS to achieve something similar?

    Thanks

  • Re: Configure Request Header Authentication in Nexus with IIS

    Nov 14, 2016 07:22 AM|Yuk Ding|LINK

    Hi Mario,

    Based on my understanding, IIS won't add any request header during the redirect. You could try to build a web application with windows authentication and an virtual directory with anonymous authentication under default website. If you redirect the url from your web application to virtual directory, the popup for user credential will even not show up. It means that IIS will not add any request header or authenticate anybody but just relay the request to the target  URL during the redirect.

    This link could help you understand the pipeline of URL rewrite module:

    https://www.iis.net/learn/extensions/url-rewrite-module/iis-request-filtering-and-url-rewriting

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.