limit_except strange by bug or design?

Maxim Dounin mdounin at mdounin.ru
Mon Sep 14 00:46:19 MSD 2009 

Hello!

On Sun, Sep 13, 2009 at 08:54:37PM +0200, Micha Glave wrote:

> I have a problem with the limit_except command. I try to offer a public 
> Mercurial-Repository with nginx as frontend. In short: GET is allowed, 
> POST needs authentification.
>
> In my simple mind I thought this config would fit:
>
> _config_
>         location /public/ {
>                 limit_except GET {
>                        auth_basic            "Authenticate";
>                        auth_basic_user_file  /var/hg/hg_user;
>                  }
>
>                 set  $path_info      "";
>                 if ($fastcgi_script_name ~ "^(/.+)$") {
>                         set  $path_info $1;
>                 }
>
>                 include        fastcgi_params;
>                 fastcgi_param  AUTH_USER          $remote_user;
>                 fastcgi_param  REMOTE_USER        $remote_user;
>                 fastcgi_param  SCRIPT_NAME "";
>                 fastcgi_param  PATH_INFO $path_info;
>                 fastcgi_pass   127.0.0.1:10040;
>         }
> _/config_
>
> In praxis it ends with this situation: GET works as espected;
> Trying POST ends with a timeout at clientside and this log at  
> serverside:
>
> _log_
> 2009/09/11 11:07:39 [error] 21423#0: *361 "/var/hg/www/public/ 
> repository/index.html" is not found (2:
>  No such file or directory), client: 213.170.191.78, server:  
> hg.domain.com, request: "POST /public/repository/? 
> cmd=unbundle&heads=3853d3bd894379d0bd69822fccdabf6b90cf53a3 HTTP/1.1",  
> host: "hg.domain.com"
> _/log_
>
> the ".../index.html is not found" says to me that the fastcgi-part is  
> ignored. By intention or bug. Am I right?

Yes.  Directive limit_except effectively creates another location 
with separate configuration, and fastcgi_pass isn't inherited 
there.

For proxy_pass you should be able to do

    location / {
        limit_except GET {
            auth_basic ...
            proxy_pass http://master-backend;
        }
        proxy_pass http://slave-backends;
    }

It's not allowed now for fastcgi_pass though.  You should either 
patch it by hand or use another aproach - e.g. just rewrite 
non-GET/HEAD requests to another location with authentication 
required.

Maxim Dounin

>
> What is the intention of this approach? Is there a better way of solving 
> this problem?
>
> I am stumped
>
> Micha
>

More information about the nginx mailing list