<div dir="ltr"><div>Hi, <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 11 Mar 2024 at 19:07, Roman Arutyunyan <<a href="mailto:arut@nginx.com">arut@nginx.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On Mon, Mar 11, 2024 at 12:24:44PM +0530, Vineet Naik wrote:<br>
> Hello,<br>
> <br>
> I had sent the original email to the nginx mailing list address a week ago.<br>
> But I don't see it on the March 2024 archives page -<br>
> <a href="https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start" rel="noreferrer" target="_blank">https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start</a>. I<br>
> am wondering if that's the case because I was not subscribed to the mailing<br>
> list at the time of sending the email (I have subscribed just now) or if<br>
> it's stuck in moderation.<br>
> <br>
> Appreciate any help.<br>
> <br>
> Thanks,<br>
> Vineet<br>
> <br>
> On Mon, 4 Mar 2024 at 11:52, Vineet Naik <<a href="mailto:naikvin@gmail.com" target="_blank">naikvin@gmail.com</a>> wrote:<br>
> <br>
> > Hello,<br>
> ><br>
> > I am using the auth_request module to restrict access to static files at<br>
> > location `/`. I noticed that when authentication is successful, the `/auth`<br>
> > endpoint is receiving 2 requests for every request sent to nginx by the<br>
> > client application. Interestingly, this only happens when the user is<br>
> > logged in i.e. the `/auth` endpoint responds with 200 status code.<br>
> > Otherwise, the auth endpoint is called only once. I have verified this by<br>
> > logging every incoming request to `/auth` handler in the server<br>
> > application.<br>
<br>
It happens because of try_files. The last try_files argument performs internal<br>
redirect to the specified uri. Internal redirect is almost like a new request.<br>
While going through its phases, auth_request is processed again.<br>
<br>
<a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files" rel="noreferrer" target="_blank">https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files</a></blockquote><div><br></div><div>This is helpful. Thanks. I'll try tweaking the config and see if this can be avoided. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> > I can see that the internal subrequests made by nginx to the auth endpoint<br>
> > are not being logged. Is there a way to enable logging for auth<br>
> > subrequests? How do I investigate this further?<br>
<br>
Yes, use 'log_subrequest on':<br>
<br>
<a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#log_subrequest" rel="noreferrer" target="_blank">https://nginx.org/en/docs/http/ngx_http_core_module.html#log_subrequest</a><br>
<br>
> > Nginx config for reference:<br>
> ><br>
> > server {<br>
> > listen 80;<br>
> > server_name spapoc.local;<br>
> ><br>
> > access_log /var/log/nginx/spapoc.access.log main;<br>
> ><br>
> > location ~ ^/(login|logout) {<br>
> > auth_request off;<br>
> > proxy_pass <a href="http://127.0.0.1:5001" rel="noreferrer" target="_blank">http://127.0.0.1:5001</a>;<br>
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>
> > proxy_set_header X-Forwarded-Proto $scheme;<br>
> > proxy_set_header X-Forwarded-Host $host;<br>
> > proxy_set_header X-Forwarded-Prefix /;<br>
> > }<br>
> ><br>
> > location /xhr/ {<br>
> > auth_request off;<br>
> > proxy_pass <a href="http://127.0.0.1:5001/" rel="noreferrer" target="_blank">http://127.0.0.1:5001/</a>;<br>
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>
> > proxy_set_header X-Forwarded-Proto $scheme;<br>
> > proxy_set_header X-Forwarded-Host $host;<br>
> > proxy_set_header X-Forwarded-Prefix /;<br>
> > }<br>
> ><br>
> > location = /favicon.ico {<br>
> > auth_request off;<br>
> > root /home/vmadmin/spa;<br>
> > }<br>
> ><br>
> > location / {<br>
> > auth_request /auth;<br>
> > auth_request_set $auth_status $upstream_status;<br>
> > error_page 401 = @error401;<br>
> ><br>
> > root /home/vmadmin/spa;<br>
> > try_files $uri $uri/ /index.html;<br>
> > }<br>
> ><br>
> > location = /auth {<br>
> > internal;<br>
> > auth_request off;<br>
> > proxy_pass <a href="http://127.0.0.1:5001" rel="noreferrer" target="_blank">http://127.0.0.1:5001</a>;<br>
> > proxy_pass_request_body off;<br>
> > proxy_set_header Content-Length "";<br>
> > proxy_set_header X-Original-URI $request_uri;<br>
> > }<br>
> ><br>
> > location @error401 {<br>
> > return 302 /login;<br>
> > }<br>
> ><br>
> > #error_page 404 /404.html;<br>
> ><br>
> > # redirect server error pages to the static page /50x.html<br>
> > #<br>
> > error_page 500 502 503 504 /50x.html;<br>
> > location = /50x.html {<br>
> > root /usr/share/nginx/html;<br>
> > }<br>
> > }<br>
> ><br>
> > --<br>
> > Thanks,<br>
> > Vineet<br>
> ><br>
> ><br>
> <br>
> -- <br>
> ~ Vineet<br>
<br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> <a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
<br>
--<br>
Roman Arutyunyan<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">~ Vineet<br><br></div></div></div>