Feature extension to auth_request module: FastCGI authorizer

davidjb nginx-forum at nginx.us
Mon Apr 22 04:35:51 UTC 2013


I've written an additional feature into the Auth Request module (from
http://mdounin.ru/hg/ngx_http_auth_request_module/) that allows a user to
control the behaviour of the auth_request in such a way that it can act as a
FastCGI authorizer.  This patch that I have written allows the user to
specify the flag "authorizer=on" against a call to "auth_request" (eg
"auth_request /my-auth authorizer=on;") and the auth request module will
behave as per the authorizer specification
(http://www.fastcgi.com/drupal/node/22#S6.3).

There is one (potentially significant) caveat for now is that
request/response bodies are not passed to the authorizer or back to the
client respectively - assistance on this would be greatly appreciated. 
However, as it stands at present, the authorizer mode is able to correctly
handle situations where only the headers are utilised -- eg the Shibboleth
SSO FastCGI authorizer which relies on redirection and cookies and never a
response/request body.  This satisfies at least what I need it for at
present and authentication works successfully.

I'd like to see about whether this can be included within the main module
itself at http://mdounin.ru/hg/ngx_http_auth_request_module, as I know this
will be useful to more than just me.  For example, see the various posts and
questions surrounding this: 
https://www.google.com/search?q=fastcgi+authorizer+nginx  . 

The latest version of my module lives at:
https://bitbucket.org/davidjb/ngx_http_auth_request_module

and the one main diff is located at:
https://bitbucket.org/davidjb/ngx_http_auth_request_module/commits/3d865a718d3e34e4e353962ccc71c588a806db31/raw/

Comments are more than welcome.

Thanks,
David

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,238523,238523#msg-238523



More information about the nginx mailing list