auth request body mask/unmask proposal
Davood Falahati
0x0davood at gmail.com
Thu May 18 22:05:57 UTC 2023
# HG changeset patch
# User Davood Falahati <0x0davood at gmail.com>
# Date 1684446142 -7200
# Thu May 18 23:42:22 2023 +0200
# Node ID c073e545e1cdcc736f8869a012a78b2dd836eac9
# Parent 77d5c662f3d9d9b90425128109d3369c30ef5f07
Proposal: add the capacity to ngx_http_auth_request_module to return
external auth service response body.
Why do we need it? Error handling inside mobile/web clients are being
disrupted on receiving 401 from external auth service. For instance,
external auth service returns 401 response along with an important error
message that client should read.
Why do we need to change the patch? ngx_http_auth_request_module doesn't
send the external response body by design. This module intercepts the
external auth_request response body and doesn't send it to the client. It
lets the admin send a customized error-page, but it doesn't open and read
external auth's response body.
send external auth service body response to client if
auth_request_mask_body flag is off
diff -r 77d5c662f3d9 -r c073e545e1cd
src/http/modules/ngx_http_auth_request_module.c
--- a/src/http/modules/ngx_http_auth_request_module.c Tue Apr 18 06:28:46
2023 +0300
+++ b/src/http/modules/ngx_http_auth_request_module.c Thu May 18 23:42:22
2023 +0200
@@ -13,6 +13,7 @@
typedef struct {
ngx_str_t uri;
ngx_array_t *vars;
+ ngx_flag_t mask_auth_response_body;
} ngx_http_auth_request_conf_t;
@@ -63,6 +64,13 @@
0,
NULL },
+ { ngx_string("auth_request_mask_body"),
+ NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_auth_request_conf_t, mask_auth_response_body),
+ NULL },
+
ngx_null_command
};
@@ -106,6 +114,8 @@
ngx_http_post_subrequest_t *ps;
ngx_http_auth_request_ctx_t *ctx;
ngx_http_auth_request_conf_t *arcf;
+ ngx_buf_t *b;
+ ngx_chain_t out, *in;
arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);
@@ -140,7 +150,36 @@
if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
sr = ctx->subrequest;
+ /*
+ * send external auth service response body to the client
+ */
+ if (!arcf->mask_auth_response_body) {
+ r->headers_out.content_type = sr->headers_out.content_type;
+
+ b = ngx_calloc_buf(r->pool);
+ if (b == NULL) {
+ return NGX_ERROR;
+ }
+
+ r->headers_out.status = ctx->status;
+
+ b->last_buf = 1;
+ b->last_in_chain = 1;
+ b->memory = 1;
+
+ out.buf = b;
+ out.next = NULL;
+
+ in = sr->out;
+ in->next = &out;
+
+ ngx_http_send_header(r);
+ return ngx_http_output_filter(r, in);
+ }
+
+ return ctx->status;
+ }
h = sr->headers_out.www_authenticate;
if (!h && sr->upstream) {
@@ -164,8 +203,7 @@
h = h->next;
}
- return ctx->status;
- }
+
if (ctx->status >= NGX_HTTP_OK
&& ctx->status < NGX_HTTP_SPECIAL_RESPONSE)
@@ -192,9 +230,10 @@
ps->handler = ngx_http_auth_request_done;
ps->data = ctx;
+
if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps,
- NGX_HTTP_SUBREQUEST_WAITED)
- != NGX_OK)
+ arcf->mask_auth_response_body ?
NGX_HTTP_SUBREQUEST_WAITED:
+ NGX_HTTP_SUBREQUEST_IN_MEMORY) != NGX_OK)
{
return NGX_ERROR;
}
@@ -209,8 +248,10 @@
return NGX_ERROR;
}
- sr->header_only = 1;
-
+ if (arcf->mask_auth_response_body)
+ {
+ sr->header_only = 1;
+ }
ctx->subrequest = sr;
ngx_http_set_ctx(r, ctx, ngx_http_auth_request_module);
@@ -322,6 +363,7 @@
*/
conf->vars = NGX_CONF_UNSET_PTR;
+ conf->mask_auth_response_body = NGX_CONF_UNSET;
return conf;
}
@@ -335,6 +377,7 @@
ngx_conf_merge_str_value(conf->uri, prev->uri, "");
ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
+ ngx_conf_merge_value(conf->mask_auth_response_body,
prev->mask_auth_response_body,1);
return NGX_CONF_OK;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20230519/0ebdec9b/attachment.htm>
More information about the nginx-devel
mailing list