Doing an "upstream" request without sending result back to client
Vincent Gross
dermiste at kilob.yt
Tue Dec 3 01:26:56 UTC 2013
On Mon, Dec 02, 2013 at 05:48:40PM +0400, Maxim Dounin wrote:
> Hello!
>
> On Mon, Dec 02, 2013 at 09:22:50PM +1100, Vincent Gross wrote:
>
> > Hi folks,
> >
> > I want to implemement a webid authn module in nginx. This is the big picture:
> >
> > 1. Client do an https request and sends a client cert
> > 2. Certs contains a subjectAltName URI, e.g. https://mysite.info/id/
> > 3. Server fetches https://mysite.info/id/ content
> > 4. If content do contains public key info matching client cert, authn
> > successful.
> >
> > From what I see in src/http/ngx_http_upstream.c in functions
> > ngx_http_upstream_process_header(ngx_http_request_t *, ngx_http_upstream_t *)
> > & ngx_http_upstream_send_response(ngx_http_request_t *, ngx_http_upstream_t *),
> > it is not possible to do the request [3] without sending back at least a
> > response header back to the client.
> >
> > Did I miss something or am I really setting myself for reimplementing the
> > mechanisms of ngx_http_upstream.c? Any advices/guidelines for the latter (other
> > then taking example on original upstream?)
>
> You may try looking into subrequests, in particular -
> NGX_HTTP_SUBREQUEST_IN_MEMORY functionality.
Thank you for the reply Maxim, I gave it a quick shot based on your auth
request module.
As I understand it, subrequests are always done in the current server space, so
if want to GET on a foreign server, I would need an other location with some
substitutions to appropriately fill the proxy_pass value. Am I right ?
Also this means I need to add a location whose sole purpose is to translate
from inner reqs to outer reqs, I don't feel good abusing the config file in
such a way, given that the whole point of webid is to have decentralized authn.
Cheers,
--
Vincent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131203/19cc4ecd/attachment.bin>
More information about the nginx-devel
mailing list