The reason of ignoring subrequest in access phase hander.

洪志道 hongzhidao at gmail.com
Mon Dec 24 15:48:31 UTC 2018


Get it, thanks for your explanation.

I faced it by the following usage of lua, and I think it's resonable for
developers.

location /test {
   content_by_lua_block {
       local res = ngx.location.capture("/other"); -- post subrequest
   }
}

location /other {
   access_by_lua_block {
       ...
   }
}

It's ok for us to replace it with rewrite.
Anyway, do you still think it's better to restrict subrequests in access
phase handler?



On Mon, Dec 24, 2018 at 10:06 PM Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Dec 24, 2018 at 03:38:00AM +0800, 洪志道 wrote:
>
> > Hi.
> >
> > I'm wondering the reason of ignoring subrequests in access phase hander.
> > Can anyone explain it to me?
> >
> > 1069 ngx_int_t
> > 1070 ngx_http_core_access_phase(ngx_http_request_t *r,
> > ngx_http_phase_handler_t *ph)
> > 1071 {
> > 1072     ngx_int_t                  rc;
> > 1073     ngx_http_core_loc_conf_t  *clcf;
> > 1074
> > 1075     if (r != r->main) {
> > 1076         r->phase_handler = ph->next;
> > 1077         return NGX_AGAIN;
> > 1078     }
> > 1079
>
> Access checks are expected to apply to the main request, but make
> little to no sense for subrequests.  E.g., if you are using
> IP-based restrictions or Basic HTTP authentication, both are
> exactly identical for the main request and subrequests.  As such,
> it is enough to do the checks for the main request only, and this
> is what nginx does.
>
> Note that it implies that access restrictions configured for the
> main requests are expected to be enough for all subrequests it can
> initiate.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20181224/63bfedf6/attachment-0001.html>


More information about the nginx-devel mailing list