how can I use external URI with the auth_request module

Francis Daly francis at daoine.org
Wed Feb 22 20:14:40 UTC 2017


On Wed, Feb 22, 2017 at 03:55:48AM +0200, Litichevskij Vova wrote:

Hi there,

> Or in this way with named location:
> 
> server {
> 
>     location / {
>         auth_request @auth;
>         proxy_pass http://protected.resource;
>     }
> 
>     location @auth {
>         proxy_pass http://external.url;
>     }
> }
> In this case the error is almost the same:
> 
> 2017/02/22 03:13:25 [error] 25476#0: *34 open() "/usr/local/html at auth" failed (2: No such file or directory), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", subrequest: "@auth", host: "127.0.0.1"

I would (naively?) have expected the named location to Just Work. But
clearly it doesn't.

> I know there is a way like this:
> 
> server {
> 
>     location / {
>         auth_request /_auth_check;
>         proxy_pass http://protected.resource;
>     }
> 
>     location /_auth_check {
>         internal;
>         proxy_pass http://external.url;
>     }
> }
> But in this case the http://protected.resource can not use the /_auth_check path.

You can instead use "location = /_auth_check" if you are happy to reserve
exactly one url for internal use. (You'ld probably want to add a uri
part to the hostname in the proxy_pass directive.)

Or you could play games, and use a location which looks like it is a
named location, but actually is not, and is just a location that is
unlikely to be accessed directly, such as "location = @auth".

> Is there a way to use an external URI as a parameter for the auth_request directive without overlapping the http://protected.resource routing?

auth_request takes an argument which is a local uri.

> It looks a little bit strange to look for the auth_request's URI through static files (/usr/local/html).

It does whatever you configured nginx to do with that uri. (Apart from
the "@named" piece, which I'm not sure about.)

Cheers,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list