[RFC] auth_request: Add auth_request_intercept_errors (on by default)
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 27 14:29:26 UTC 2014
Hello!
On Sat, Oct 25, 2014 at 09:27:39AM -0700, W. Trevor King wrote:
> The patch successfully passes through error codes, but I haven't been
> able to find a way to distinguish between auth-endpoint errors and
> errors from the authorized endpoint. For example, with:
>
> location = /auth {
> proxy_pass http://auth.example.com/;
> proxy_pass_request_body off;
> proxy_set_header Content-Length "";
> proxy_set_header X-Original-URI $request_uri;
> proxy_read_timeout 5s;
> proxy_intercept_errors on;
> error_page 504 =504 @504-auth;
> }
>
> location / {
> auth_request /auth;
> auth_request_intercept_errors off;
> proxy_pass http://api.example.com/;
> }
>
> location @504-auth {
> return 504 "auth timeout";
> }
>
> I get the generic 504 error when either auth.example.com or
> api.example.com times out. I expect this is due to the auth_request
> handler stripping the response body from the auth request, with a flow
> like:
[...]
> Do folks besides me want this feature? Can anyone give me hints on
> auth-specific error messages?
Without any patches, you can do something like this (not tested
though):
location / {
auth_request /auth;
auth_request_set $auth_timeout $upstream_http_x_auth_timeout;
error_page 403 = /auth_timeout;
proxy_pass ...
}
location = /auth {
error_page 504 = /auth_helper;
proxy_pass http://auth.example.com;
...
}
location = /auth_helper {
add_header X-Auth-Timeout 1 always;
return 403;
}
location = /auth_timeout {
if ($auth_timeout) {
return 504;
}
return 403;
}
With this config, the 403 with a special header is used by auth
endpoint to indicate timeouts, and a special error_page for 403 is
used to distinguish between various reasons for 403.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list