Satisfy directive behaviour

Petra Kamenickova pkamenic at
Wed Jul 1 13:36:04 UTC 2015


I'm working on custom PAM module which could be used as an authorization support for authentication modules (e.g. ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure I fully get the interactions between and within
phases in nginx. My background is Apache HTTP Server so that might have twisted my expectations. 

I have noticed that satisfy directive behaves slightly different than Apache's satisfy - nginx checks every module in access phase and the first successful invocation stops any subsequent checks whereas Apache's satisfy checks host based access vs. other access modules. It has some implications especially for authentication and authorization implications. What would be the best way to make sure that authorization phases that need authentication to be run gets that authentication executed, even with satisfy any?

The post access phase looks like a good place for authorization but it seems custom modules cannot really be added to this phase. So... is it possible to add somehow my module handler into post access phase without changing the core module? Or is there any way how to keep my module in access phase but skip the satisfy check for that module? 

I would be grateful for any help!

Petra Kamenickova

More information about the nginx-devel mailing list