[ANNOUNCE] auth request module

agentzh agentzh at gmail.com
Sun Feb 28 09:09:27 MSK 2010

On Sun, Feb 28, 2010 at 3:00 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Here is auth request module, it allows authorization based on
> subrequest result.  It works at access phase and therefore may be
> nicely combined with other access modules (access, auth_basic) via
> satisfy directive.

This is really awesome!

But too sad the ngx_eval module can't work in subrequests itself so I
can not combine this with ngx_eval + ngx_drizzle + ngx_rds_json to do
mysql-based auth :)

It's mostly an issue in the ngx_eval, not your excellent
ngx_auth_request ;) Our ngx_srcache module will also take advantage of
subrequests to do response caching.

For now, I'm using something like this for mysql-based login and it
works on my machine [1]:

   location = /auth {
        default_type 'application/json';
        eval_subrequest_in_memory off;
        eval $res {
            set_quote_sql_str $user $arg_user;
            set_quote_sql_str $pass $arg_pass;
            set $sql 'select count(*) res from users where name=$user
and passwd=$pass';
            drizzle_query $sql;
            drizzle_pass backend;
            rds_json on;
            rds_json_content_type application/octet-stream;
        if ($res ~ '"res":1') {
            echo "Cool! you're already logged in!";
        if ($res !~ '"res":1') {
            return 403;

where the "backend" upstream name used in the drizzle_pass directive
is defined like this:

    upstream backend {
        drizzle_server dbname=test
             password=some_pass user=monty protocol=mysql;
        drizzle_keepalive max=400 overflow=reject;

Then we can login the system by GET /auth?user=john&pass=some_pass.
Well, it's just a naive demonstration. Hopefully I'm not too OT :P


[1] Here we're using my fork of ngx_eval module (
http://github.com/agentzh/nginx-eval-module ) for two important
features: 1) capture outputs from arbitrary locations with output
filter support, 2) pass the parent request's query string (or "args")
into the eval block.

More information about the nginx mailing list