Question about IF and auth subrequest

Maxim Dounin mdounin at mdounin.ru
Wed Feb 24 14:01:31 UTC 2021


Hello!

On Wed, Feb 24, 2021 at 10:39:57AM +0100, Vincent Blondel wrote:

> Hello all,
> I have a quick question about the usage of IF and auth_request.
> I would like to know if it is possible to use a IF statement to condition
> the proxy behaviour of one /location depending on the response headers of
> the sub auth request ...
> 
> location /subrequest/ {
>     proxy_pass xxx;
> }
> location /anyrequest/ {
>     auth_request /subrequest/;
> 
>     if ($response_header ~ '' ) {
>       proxy_pass_request_body off;
>       proxy_set_header Content-Length "";
>       proxy_pass ...
>     }
>     if ($response_header !~ '' ) {
>       proxy_pass xxx;
>     }
> }
> 
> Thank You in advance for your Support ...

No, it is not going to work.  The "if" directive and other rewrite 
module directives are executed as a part of selecing a 
configuration to process a request[1], and this happens before any 
authentication checks.

Things that can work:

- Using variables in the configuration and map[2] to conditionally 
  evaluate them after auth subrequest.  This might not be the best 
  approach in your particular case, as proxy_pass_request_body 
  does not support variables.

- Returning an error from auth subrequest, so you can switch to a 
  different location using error_page[3].

[1] http://nginx.org/en/docs/http/ngx_http_rewrite_module.html
[2] http://nginx.org/en/docs/http/ngx_http_map_module.html
[3] http://nginx.org/r/error_page

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list