Inconsistent behavior with Nginx's auth_request_set and more_set_input_headers

Maxim Dounin mdounin at
Mon Jun 30 22:52:20 UTC 2014


On Sat, Jun 28, 2014 at 05:35:27PM +0000, admin at wrote:

> Hi,
> I'm trying to use the auth_request module in conjunction with the
> more_set_input_headers to automatically login my users into web apps.
> Basically, it works like this:
> 1. Users have some session cookie that authenticates them.
> 2. I have a PHP script (auth.php) that validates the cookie and returns
> their proper username as a response header.
> 3. Nginx calls auth.php with auth_request, and sets the username in a
> variable.
> 4. Nginx then calls the web app with a request header set to the correct
> username.
> 5. The web app reads the header, and logs the user in.
> This works, but strangely inconsistent. The issue is that when a user
> accesses the web app on /app/, it works (the request header is sent), but
> when the app is accesssed on /app/index.php, it never receives the header
> from nginx.

This behaviour is likely due to the fact that 
"more_set_input_headers" handler is executed before access phase 
(where auth_request works), and hence only changes a request if 
it's internally redirected.

Solution to the problem is to stop using "more_set_input_headers" 
(it's anyway very wrong, request headers shouldn't be changed) and 
use native "fastcgi_param" instead:

   fastcgi_param HTTP_X_TEST_HEADER $auth_header;


Will link this answer there.

Maxim Dounin

More information about the nginx mailing list