auth_request and multiple sequential subrequests

agentzh agentzh at gmail.com
Mon Feb 14 07:27:50 MSK 2011


On Thu, Feb 3, 2011 at 7:16 PM, Pavel Kolla <pavelkolla at gmail.com> wrote:
>
> location /t1
> {
> #   internal
>    auth_request    /t2;
>    set $t 1;
>    echo "t1 $t";
> }
>

Your /t1 does not run auth_request when it is used in a subrequest
just because nginx access phase handlers will be skipped altogether
for subrequests (as opposed to rewrite and content phase handlers).
This is a common pitfall but can also be a useful feature for minor
optimizations.

You put "set $t 1" after "auth_request" here is confusing. Because
"set" runs at the rewrite phase and will always run before any access
phase directives like "auth_request" even if you put "set" after it.

BTW, you can utilize the rewrite_by_lua directive to do this kind of
generalized access control like this:

    rewrite_by_lua '
        local res = ngx.location.capture("/some_location")
        if res.status == ngx.HTTP_FORBIDDEN then
            return res.status
        end

        if res.status ~= ngx.HTTP_OK then
            return ngx.HTTP_INTERNAL_SERVER_ERROR
        end
    ';

This is the first-order approximation of a rewrite-phase auth_request
using ngx_lua and rewrite phase handlers also run in subrequests :)

See http://github.com/chaoslawful/lua-nginx-module for details.

> At this stage i'm not even sure if it is possible to use auth_request directive
> in a subrequest, so i seek for wisdom here...
>

Surely not. See the reason I've given above :)

Cheers,
-agentzh



More information about the nginx mailing list