[PATCH] Auth basic: Cache credentials if auth_basic_user_file is static

Maxim Dounin mdounin at mdounin.ru
Wed Oct 4 01:03:44 UTC 2023


Hello!

On Tue, Oct 03, 2023 at 03:46:05PM -0700, Toshihito Kikuchi wrote:

> # HG changeset patch
> # User Toshihito Kikuchi <leamovret at gmail.com>
> # Date 1696359541 25200
> #      Tue Oct 03 11:59:01 2023 -0700
> # Node ID e397ea6cfa85e85ae0865c5061397dc295fb7df1
> # Parent  3db945fda515014d220151046d02f3960bcfca0a
> Auth basic: Cache credentials if auth_basic_user_file is static.
> 
> In the current design, when auth_basic is on, every HTTP request triggers
> file I/O (open, read, close) to the file specified in auth_basic_user_file.
> Probably this is to allow auth_basic_user_file to contain variables.
> 
> If the value is just a static text, however, there is no reason to read the
> same file every request in every worker process.  It unnecessarily consumes
> system resources.
> 
> With this patch, if auth_basic_user_file does not have any variables, we
> cache its content in the location context at configuration time and use it
> in all subsequent requests.  If auth_basic_user_file contain variables, we keep
> the original behavior.

As currently implemented, auth_basic_user_file is read at runtime, 
making it possible to change users and their passwords - which is 
a relatively common task - without reloading nginx itself.  And 
this behaviour matches the one in Apache, which does the same.  
Changing this behaviour to read the password file while loading 
configuration (so any changes to the file won't be applied unless 
nginx is reloaded) would certainly break POLA, and needs some 
really good justification.

Further, in typical setups the file is effectively cached by the 
OS itself, making the I/O operations mentioned almost free, 
especially compared to costs of typical password hash 
calculations.

[...]

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list