auth_request module is sending the auth subrequest twice

Roman Arutyunyan arut at nginx.com
Mon Mar 11 13:37:09 UTC 2024


Hi,

On Mon, Mar 11, 2024 at 12:24:44PM +0530, Vineet Naik wrote:
> Hello,
> 
> I had sent the original email to the nginx mailing list address a week ago.
> But I don't see it on the March 2024 archives page -
> https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start. I
> am wondering if that's the case because I was not subscribed to the mailing
> list at the time of sending the email (I have subscribed just now) or if
> it's stuck in moderation.
> 
> Appreciate any help.
> 
> Thanks,
> Vineet
> 
> On Mon, 4 Mar 2024 at 11:52, Vineet Naik <naikvin at gmail.com> wrote:
> 
> > Hello,
> >
> > I am using the auth_request module to restrict access to static files at
> > location `/`. I noticed that when authentication is successful, the `/auth`
> > endpoint is receiving 2 requests for every request sent to nginx by the
> > client application. Interestingly, this only happens when the user is
> > logged in i.e. the `/auth` endpoint responds with 200 status code.
> > Otherwise, the auth endpoint is called only once. I have verified this by
> > logging every incoming request to `/auth` handler in the server
> > application.

It happens because of try_files.  The last try_files argument performs internal
redirect to the specified uri.  Internal redirect is almost like a new request.
While going through its phases, auth_request is processed again.

https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files

> > I can see that the internal subrequests made by nginx to the auth endpoint
> > are not being logged. Is there a way to enable logging for auth
> > subrequests? How do I investigate this further?

Yes, use 'log_subrequest on':

https://nginx.org/en/docs/http/ngx_http_core_module.html#log_subrequest

> > Nginx config for reference:
> >
> > server {
> >     listen       80;
> >     server_name  spapoc.local;
> >
> >     access_log  /var/log/nginx/spapoc.access.log  main;
> >
> >     location ~ ^/(login|logout) {
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001;
> >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >         proxy_set_header X-Forwarded-Proto $scheme;
> >         proxy_set_header X-Forwarded-Host $host;
> >         proxy_set_header X-Forwarded-Prefix /;
> >     }
> >
> >     location /xhr/ {
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001/;
> >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >         proxy_set_header X-Forwarded-Proto $scheme;
> >         proxy_set_header X-Forwarded-Host $host;
> >         proxy_set_header X-Forwarded-Prefix /;
> >     }
> >
> >     location = /favicon.ico {
> >         auth_request off;
> >         root /home/vmadmin/spa;
> >     }
> >
> >     location / {
> >         auth_request /auth;
> >         auth_request_set $auth_status $upstream_status;
> >         error_page 401 = @error401;
> >
> >         root   /home/vmadmin/spa;
> >         try_files $uri $uri/ /index.html;
> >     }
> >
> >     location = /auth {
> >         internal;
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001;
> >         proxy_pass_request_body off;
> >         proxy_set_header        Content-Length "";
> >         proxy_set_header        X-Original-URI $request_uri;
> >     }
> >
> >     location @error401 {
> >         return 302 /login;
> >     }
> >
> >     #error_page  404              /404.html;
> >
> >     # redirect server error pages to the static page /50x.html
> >     #
> >     error_page   500 502 503 504  /50x.html;
> >     location = /50x.html {
> >         root   /usr/share/nginx/html;
> >     }
> > }
> >
> > --
> > Thanks,
> > Vineet
> >
> >
> 
> -- 
> ~ Vineet

> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

--
Roman Arutyunyan


More information about the nginx mailing list