auth_request + php-fpm + POST request

Arno0x0x nginx-forum at nginx.us
Sat Apr 11 13:21:30 UTC 2015 

Hi,

I'm using the auth_request module to enable custom (2fa) authentication to
protect my whole website, no matter the various applications I host on this
website. So the auth_request directive is set at the "server" level.

The authentication subrequest works fine, except for client POST requests
where the php auth script holds forever until I get a timeout in the nginx
error.log :
"*1 upstream timed out (110: Connection timed out) while reading response
header from upstream"

It took me a while guessing why, but my guess is, from the debug trace I
created, that the PHP script sees both a "content-length" and "content-type"
in the HTTP headers, but the request body is not being sent to the auth
scripts (there's no need anyway, all I need is the cookies).

I had to trick the config to make it work, and that's what I'm sharing here,
but I'd like to know if there's a more "standard" way to deal with this.

My nginx.conf file is standard, and here is the bits from my
"sites-available" config file:
-----------------------------------------------------------------------------------------
server {
	listen   443;
	server_name www.example.eu;

	ssl on;
	ssl_certificate /etc/nginx/ssl/www.exemple.eu.crt;
	ssl_certificate_key /etc/nginx/ssl/www.exemple.eu.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'AES256+EECDH:AES256+EDH';
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	
	root var/www/exemple.eu;
	index index.php index.html index.htm;

	auth_request /twofactorauth/auth/auth.php;

 	error_page 401 = @error401;
	
	location @error401 {
        	return 302 $scheme://$host/twofactorauth/login/login.html;
	}

	location / {
		try_files $uri $uri/ /index.html;
	}

	location ~ \.php$ {
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include fastcgi.conf;
	}

	location = /twofactorauth/auth/auth.php {
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		include fastcgi.conf;
		fastcgi_param REQUEST_METHOD "GET"; 
    }

	location /twofactorauth/login/ {
		auth_request off;
        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }
	}
}
-----------------------------------------------------------------------------------------

See the trick ? The auth.php script is being forced a "GET" method even when
the client used a POST request.

By the way, I didn't manage to get the whole auth_request config working
using all the "proxy_pass" stuff. So I used a straight call to the auth.php
script.

Any ideas are welcomed.
Cheers
Arno0x0x

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257968,257968#msg-257968

More information about the nginx mailing list