Feature extension to auth_request module: FastCGI authorizer

Maxim Dounin mdounin at mdounin.ru
Mon Apr 22 16:39:26 UTC 2013


On Mon, Apr 22, 2013 at 12:35:51AM -0400, davidjb wrote:

> I've written an additional feature into the Auth Request module (from
> http://mdounin.ru/hg/ngx_http_auth_request_module/) that allows a user to
> control the behaviour of the auth_request in such a way that it can act as a
> FastCGI authorizer.  This patch that I have written allows the user to
> specify the flag "authorizer=on" against a call to "auth_request" (eg
> "auth_request /my-auth authorizer=on;") and the auth request module will
> behave as per the authorizer specification
> (http://www.fastcgi.com/drupal/node/22#S6.3).
> There is one (potentially significant) caveat for now is that
> request/response bodies are not passed to the authorizer or back to the
> client respectively - assistance on this would be greatly appreciated. 
> However, as it stands at present, the authorizer mode is able to correctly
> handle situations where only the headers are utilised -- eg the Shibboleth
> SSO FastCGI authorizer which relies on redirection and cookies and never a
> response/request body.  This satisfies at least what I need it for at
> present and authentication works successfully.
> I'd like to see about whether this can be included within the main module
> itself at http://mdounin.ru/hg/ngx_http_auth_request_module, as I know this
> will be useful to more than just me.  For example, see the various posts and
> questions surrounding this: 
> https://www.google.com/search?q=fastcgi+authorizer+nginx  . 
> The latest version of my module lives at:
> https://bitbucket.org/davidjb/ngx_http_auth_request_module
> and the one main diff is located at:
> https://bitbucket.org/davidjb/ngx_http_auth_request_module/commits/3d865a718d3e34e4e353962ccc71c588a806db31/raw/
> Comments are more than welcome.

For me it doesn't looks like what you do actually matches FastCGI 
Authorizer specification.  Even if we ignore the fact that body 
isn't handled properly, and authorizer mode isn't advertized to 

Most of the code in the patch seems to be dedicated to special 
processing of Variable-* headers.  But they don't seem to do what  
they are expected to do as per FastCGI spec - with your code the 
"Variable-AUTH_METHOD" header returned by an authorizer will 
result in "AUTH_METHOD" header being passed to the application, 
i.e. it will be available in HTTP_AUTH_METHOD variable in 
subsequent FastCGI requests - instead of AUTH_METHOD variable as 
per FastCGI spec.

Please also note that it's bad idea to try to modify input headers - 
this is not something expected to be done by modules, and will 
result in a segmentation fault if you'll try to do it in a 

Maxim Dounin

More information about the nginx mailing list