NGINX stuck in endless redirect loop when trying to use auth_request

Question

nginx version: 1.14.2

Im trying to use nginx auth_request to authenticate users for accessing a subdomain on which a page is served that i cant otherwise influence.

I have a python + flask based login page which returns 200 if the user is logged in, and returns 401 if the user is not logged in.

I have configured a proxy_pass subdomain in nginx like this:

server {
    listen 80;
    server_name sub.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sub.example.com;

    location / {
        auth_request /myauth;
        auth_request_set $auth_status $upstream_status;

        proxy_pass http://localhost:8001;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location = /myauth {
        proxy_pass https://login.example.com/;
        proxy_pass_request_body off; 

        proxy_set_header Content-Length "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    error_page 401 = @error401;
    location @error401 {
        return 302 https://login.example.com/login/?next=https://$http_host$request_uri ;
    }
}

The nginx config for the login page looks like this:

server {
    listen                    80;
    server_name               login.example.com;
    return                    301 https://$server_name$request_uri;
}

server {
    listen                    443 ssl http2;
    server_name               login.example.com;
    client_max_body_size      128M;

    location / {
        include                  uwsgi_params;
        uwsgi_pass               unix:/srv/loginpage/loginpage.sock;
    }
}

This is what my access log looks like:

[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET /login/?next=https://sub.example.com/ HTTP/2.0" 302 263
[24/Dec/2019:04:17:28 +0100] "login.example.com" "GET / HTTP/1.0" 401 10
[24/Dec/2019:04:17:28 +0100] "sub.example.com" "GET / HTTP/2.0" 302 161

The debug log can be found here: https://gist.github.com/laundmo/c23345061940bbef59703d43e93a9ba0

The login system works, i can login and get a 200 response on https://login.example.com/, if im logged out i get redirected to the login page, even when accessing sub.example.com while logged out. The ridirect back also seems to work. Just for some reason once i get redirected back to sub.example.com i get redirected to login.example.com whihc redirects me to sub.example.com and so on...

edit: if this belongs on another stackexchange page, please tell me and i will delete this and move it there

Answer 1

in the end it was so simple

the flask app i was trying to use as a authenticator, didnt store the session across subdomains

if anyone else attempts this, make sure to include app.config["SESSION_COOKIE_DOMAIN"] = ".example.com" so that flask knows to store the session across subdomains