[RFC] auth_request: Add auth_request_intercept_errors (on by default)

W. Trevor King wking at tremily.us
Sat Oct 25 16:27:39 UTC 2014

The patch successfully passes through error codes, but I haven't been
able to find a way to distinguish between auth-endpoint errors and
errors from the authorized endpoint.  For example, with:

  location = /auth {
    proxy_pass http://auth.example.com/;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    proxy_read_timeout 5s;
    proxy_intercept_errors on;
    error_page 504 =504 @504-auth;

  location / {
    auth_request /auth;
    auth_request_intercept_errors off;
    proxy_pass http://api.example.com/;

  location @504-auth {
    return 504 "auth timeout";

I get the generic 504 error when either auth.example.com or
api.example.com times out.  I expect this is due to the auth_request
handler stripping the response body from the auth request, with a flow

  1. Client requests /abc.
  2. Nginx matches location /, and creates a sub-request for /auth.
  3. Nginx matches location /auth, and sends a request to
  4. auth.example.com times out, Nginx creates a default 504 response.
  5. The /auth error_page catches the 504 and adjusts the response
  6. Nginx exits the /auth location, returning the adjusted 504 to the
     auth_request handler.
  7. ngx_http_auth_request_handler strips the response body.
  8. Nginx notices that the 504 doesn't have a body, and attaches the
     default body.
  9. A 504 with the default body is returned to the client.

I'm still trying to work out what's actually going on so I can respond
with an auth-specific timeout message.  However, I thought I'd send
the current patch as is (since it works for folks who don't need an
auth-specific messages and just want to pass through the error codes).
Do folks besides me want this feature?  Can anyone give me hints on
auth-specific error messages?


This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141025/10c5e333/attachment.bin>

More information about the nginx-devel mailing list