[nginx] allowing auth_request to proxy TOO_MANY_REQUESTS

[Maxim Dounin]

Hello!

On Tue, Oct 11, 2022 at 01:04:36PM +0200, Anders Nicolaisen via nginx-devel wrote:

> I have tried your suggestion, but it seems to not quite fit my use case.
> 
> Does your suggestion not eliminate the authentication server entirely
> for any upstream servers?
> 
> My preferred use case would be to have auth_request intercept all calls,
> and only relay the accepted ones.
> 
> Something like this:
> ------------
> server {
>   auth_request /auth;
> 
>   location /v1/endpoint {
>     proxy_pass http://localhost:7777/v1;
>   }
> 
>   location /v2/endpoint {
>     proxy_pass http://localhost:6666/v2;
>   }
> 
>   location = /auth {
>     internal;
>     proxy_pass http://localhost:8888/authentication;
>     [..]
>   }
> }
> -----------
> 
> With the authentication server responding with X-Accel-Redirect, it still gets
> interpreted by auth_request and 429 can never be sent directly to the user.

The X-Accel-Redirect approach replaces auth_request entirely.  
Instead, you pass all requests to the upstream server, and this 
upstream server decides whether to return an error to the user, or 
to X-Accel-Redirect the request to an internal location which 
returns the actual response.  E.g.,

server {
   listen 8080;

   location / {
       proxy_pass http://127.0.0.1:8081;
   }

   location @protected {
       proxy_pass ...;
   }
}

server {
   listen 8081;

   # an example X-Accel-Redirect server
   # which rejects requests with 'foo' argument set to a true 
   # value

   if ($arg_foo) {
       return 429;
   }

   add_header X-Accel-Redirect @protected;
   return 204;
}

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/