ClientTokenRotation: Don't rotate session cookie for authproxy (#72496)

* ClientTokenRotation: Don't rotate session cookie for authproxy

* Account for config option auth.proxy enable_login_token

* Limit amount of changes on devenv

* Fix tests by moving authenticatedBy up

* Uncomment nginx conf

devenv/docker/blocks/auth/nginx_proxy/Dockerfile

@@ -1,4 +0,0 @@
-FROM nginx:1.19.3-alpine
-
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY htpasswd /etc/nginx/htpasswd

devenv/docker/blocks/auth/nginx_proxy/docker-compose.yaml

@@ -5,5 +5,11 @@
 # root_url = %(protocol)s://%(domain)s:10080/grafana/
 
   nginxproxy:
-    build: docker/blocks/auth/nginx_proxy
-    network_mode: host
+    image: nginx:1.24-alpine
+    volumes:
+      - "./docker/blocks/auth/nginx_proxy/nginx.conf:/etc/nginx/nginx.conf"
+      - "./docker/blocks/auth/nginx_proxy/htpasswd:/etc/nginx/htpasswd"
+    ports:
+      - "8090:8090"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"

devenv/docker/blocks/auth/nginx_proxy/nginx.conf

@@ -4,14 +4,20 @@ http {
   sendfile on;
 
   proxy_redirect     off;
-  proxy_set_header   Host $host;
+  proxy_set_header   Host $host:$server_port;
   proxy_set_header   X-Real-IP $remote_addr;
   proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header   X-Forwarded-Host $server_name;
 
   server {
-    listen 10080;
+    listen 8090;
 
+    ###############################################################
+    #  Location is under the sub path /grafana/. We need to update the
+    #  config.ini file accordingly.
+    #  [server]
+    #  root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
+    ###############################################################
     location /grafana/ {
       ################################################################
       # Enable these settings to test with basic auth and an auth proxy header
@@ -19,8 +25,10 @@ http {
       # user1: grafana and user2: grafana
       ################################################################
 
-      # auth_basic "Restricted Content";
-      # auth_basic_user_file /etc/nginx/htpasswd;
+      auth_basic "Restricted Content";
+      auth_basic_user_file /etc/nginx/htpasswd;
+      # Remove the authentication header meant for NGINX
+      proxy_set_header "Authorization" "";
 
       ################################################################
       # To use the auth proxy header, set the following in custom.ini:
@@ -28,11 +36,12 @@ http {
       # enabled = true
       # header_name = X-WEBAUTH-USER
       # header_property = username
+      # enable_login_token = false
       ################################################################
 
-      # proxy_set_header X-WEBAUTH-USER $remote_user;
+      proxy_set_header X-WEBAUTH-USER $remote_user;
 
-      proxy_pass http://localhost:3000/;
+      proxy_pass http://host.docker.internal:3000/;
     }
   }
-}
+}

devenv/docker/blocks/auth/nginx_proxy/nginx_login_only.conf

@@ -10,7 +10,7 @@ http {
   proxy_set_header   X-Forwarded-Host $server_name;
 
   server {
-    listen 10080;
+    listen 8090;
 
     location /grafana/ {
       ################################################################
@@ -26,17 +26,18 @@ http {
       # enabled = true
       # header_name = X-WEBAUTH-USER
       # header_property = username
+      # enable_login_token = true
       ################################################################
 
       location /grafana/login {
         auth_basic "Restricted Content";
         auth_basic_user_file /etc/nginx/htpasswd;
         proxy_set_header X-WEBAUTH-USER $remote_user;
-        proxy_pass http://localhost:3000/login;
+        proxy_pass http://host.docker.internal:3000/login;
       }
 
       proxy_set_header Authorization "";
-      proxy_pass http://localhost:3000/;
+      proxy_pass http://host.docker.internal:3000/;
     }
   }
 }