[nginx] allowing auth_request to proxy TOO_MANY_REQUESTS

Anders Nicolaisen alvn at alvn.dk
Fri Oct 7 10:52:58 UTC 2022


Having the authentication server handling the 429_TOO_MANY_REQUESTS,
allows it to accommodate users with varying limits;
e.g. user1 is allowed 3 requests per second, and user2 is allowed 10 r/s.

The auth_request location can still specify the cache times of the responses
to whatever is wanted, like so:

location = /auth {
  internal;
  proxy_pass http://localhost:8888/auth;

  proxy_pass_request_body off; # no need to send the POST body
  proxy_set_header Content-Length "";

  proxy_set_header X-Original-URI  $request_uri;
  proxy_set_header X-Real-IP       $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-Method   $request_method;

  proxy_cache           AUTH;
  proxy_cache_valid     200 10m;
  proxy_cache_valid     401 403 1m;
  proxy_cache_valid     429 1s;
  proxy_cache_use_stale timeout updating http_500 http_502;
  proxy_cache_lock      on;
  proxy_cache_key       $request_method$request_uri$http_authorization;
}



# HG changeset patch
# User Anders L. V. Nicolaisen <alvn at alvn.dk>
# Date 1665061111 0
#      Thu Oct 06 12:58:31 2022 +0000
# Node ID 1d2e22110b6abe7476417d925cc39178c6bd7d9e
# Parent  ba5cf8f73a2d0a3615565bf9545f3d65216a0530
[nginx] allowing auth_request to proxy TOO_MANY_REQUESTS

diff -r ba5cf8f73a2d -r 1d2e22110b6a
src/http/modules/ngx_http_auth_request_module.c
--- a/src/http/modules/ngx_http_auth_request_module.c   Thu Sep 08 13:53:49
2022 +0400
+++ b/src/http/modules/ngx_http_auth_request_module.c   Thu Oct 06 12:58:31
2022 +0000
@@ -138,6 +138,10 @@
             return ctx->status;
         }

+        if (ctx->status == NGX_HTTP_TOO_MANY_REQUESTS) {
+            return ctx->status;
+        }
+
         if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
             sr = ctx->subrequest;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20221007/66e7bd04/attachment.htm>


More information about the nginx-devel mailing list