auth_request sub requests not using upstream keepalive
Maxim Dounin
mdounin at mdounin.ru
Sun Jan 30 20:30:46 UTC 2022
Hello!
On Fri, Jan 28, 2022 at 10:08:45PM -0800, Zach Rait wrote:
> I was exploring using auth_request from the ngx_http_auth_request_module,
> and I have encountered some unexpected behavior with regard to HTTP
> keepalive/connection reuse. I have some configuration that looks roughly
> like this:
>
> location = /auth_check {
> proxy_pass_request_body off;
> proxy_set_header Content-Length '';
> proxy_http_version 1.1;
> proxy_set_header Connection '';
> proxy_pass https://upstream_with_keepalive_confugred;
> }
>
> location /private {
> auth_request /auth_check;
> proxy_pass http://some_backend;
> }
>
> When I make a series of requests to /auth_check, nginx uses an existing
> connection as confirmed by tcpdump, but when I make a series of requests to
> /private, each /auth_check is closing the TCP connection at the end and
> then creating a new one for the following request. In my
> particular use-case this leads to approximately double the latency of the
> calls that use auth_request. Is this the expected behavior/a known issue
> with auth_request/http subrequests in general?
Make sure your backend uses "Content-Length: 0" or status code 204
in responses to auth subrequests.
Even with keepalive configured, nginx closes upstream connection
if the response contains the response body nginx is not going to
read, as it is often cheaper to reopen a connection than wait for
the unneeded response body.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list