Making http_auth_request_module a first-class citizen? [patch]

Maxim Dounin mdounin at
Thu Feb 16 16:07:18 UTC 2012


On Thu, Feb 16, 2012 at 08:16:03AM +0400, Max wrote:

> 15 февраля 2012, 18:50 от Maxim Dounin <mdounin at>:
> > Hello!
> > 
> > On Wed, Feb 15, 2012 at 08:56:49AM -0500, Maxim Khitrov wrote:
> > 
> > > Hello Maxim,
> > > 
> > > Back in 2010 you wrote that it's not likely that your
> > > http_auth_request_module would make it into nginx core. I'm curious if
> > > anything has changed over the past two years?
> > > 
> > > It's not that compiling this module into nginx is a problem
> > > (especially on FreeBSD), but I think a lot of people are inherently
> > > weary of depending on 3rd-party modules, since there is no guarantee
> > > of continued support.
> > > 
> > > What do you think about adding your module to the main nginx repository?
> > 
> > There are no immediate plans, but this may happen somewhere in the 
> > future.
> Hello fellow Maxims and others,
> I took a closer look at the auth_request module source code today and
> realized that I was partially wrong about auth_request authorization
> subrequests causing the entire requested file to be retrieved from the
> backend server. I apologize for the confusion my posts may have
> caused. Due to sr->header_only being set to 1, the connection to the
> backend server is terminated from within ngx_http_upstream_send_response()
> as soon as the HTTP request status code is received.

Yes.  This is basically a workaround for cases when people 
unintentionally return data to auth subrequest, it makes sure that 
no unexpected data are sent to client in any case.


> All of these issues can be avoided simply by using HEAD method
> requests for authorization subrequests. According to my

Using HEAD is not an option in auth_request itself, as it doesn't 
know how auth subrequest will be handled.  E.g. it may be passed to 
fastcgi, or even hit static file.

If you handle auth subrequests with proxy_pass, you may use 
proxy_set_method to issue HEAD requests to backend.  Or you may 
use correct auth endpoint which doesn't return unneeded data.


> I have also modified the auth_request module to use HEAD method
> authorization subrequests by default. This setting can be
> overridden in the configuration file by using the proxy_method
> directive, of course.
> You can find my auth_request module patch here:

The patch is wrong by design, see above.  Moreover, it makes it 
impossible to correctly pass original request method to auth 

Maxim Dounin

More information about the nginx mailing list