auth_request module is sending the auth subrequest twice

V
Vineet
  • 11 Mar '24
Hello,

I had sent the original email to the nginx mailing list address a week ago.
But I don't see it on the March 2024 archives page -
https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start. I
am wondering if that's the case because I was not subscribed to the mailing
list at the time of sending the email (I have subscribed just now) or if
it's stuck in moderation.

Appreciate any help.

Thanks,
Vineet

On Mon, 4 Mar 2024 at 11:52, Vineet Naik <naikvin at gmail.com> wrote:

> Hello,
>
> I am using the auth_request module to restrict access to static files at
> location `/`. I noticed that when authentication is successful, the `/auth`
> endpoint is receiving 2 requests for every request sent to nginx by the
> client application. Interestingly, this only happens when the user is
> logged in i.e. the `/auth` endpoint responds with 200 status code.
> Otherwise, the auth endpoint is called only once. I have verified this by
> logging every incoming request to `/auth` handler in the server
> application.
>
> I can see that the internal subrequests made by nginx to the auth endpoint
> are not being logged. Is there a way to enable logging for auth
> subrequests? How do I investigate this further?
>
> Nginx config for reference:
>
> server {
>     listen       80;
>     server_name  spapoc.local;
>
>     access_log  /var/log/nginx/spapoc.access.log  main;
>
>     location ~ ^/(login|logout) {
>         auth_request off;
>         proxy_pass http://127.0.0.1:5001;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         proxy_set_header X-Forwarded-Proto $scheme;
>         proxy_set_header X-Forwarded-Host $host;
>         proxy_set_header X-Forwarded-Prefix /;
>     }
>
>     location /xhr/ {
>         auth_request off;
>         proxy_pass http://127.0.0.1:5001/;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         proxy_set_header X-Forwarded-Proto $scheme;
>         proxy_set_header X-Forwarded-Host $host;
>         proxy_set_header X-Forwarded-Prefix /;
>     }
>
>     location = /favicon.ico {
>         auth_request off;
>         root /home/vmadmin/spa;
>     }
>
>     location / {
>         auth_request /auth;
>         auth_request_set $auth_status $upstream_status;
>         error_page 401 = @error401;
>
>         root   /home/vmadmin/spa;
>         try_files $uri $uri/ /index.html;
>     }
>
>     location = /auth {
>         internal;
>         auth_request off;
>         proxy_pass http://127.0.0.1:5001;
>         proxy_pass_request_body off;
>         proxy_set_header        Content-Length "";
>         proxy_set_header        X-Original-URI $request_uri;
>     }
>
>     location @error401 {
>         return 302 /login;
>     }
>
>     #error_page  404              /404.html;
>
>     # redirect server error pages to the static page /50x.html
>     #
>     error_page   500 502 503 504  /50x.html;
>     location = /50x.html {
>         root   /usr/share/nginx/html;
>     }
> }
>
> --
> Thanks,
> Vineet
>
>

-- 
~ Vineet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240311/556c1252/attachment.htm>
R
Roman
  • 11 Mar '24
Hi,

On Mon, Mar 11, 2024 at 12:24:44PM +0530, Vineet Naik wrote:
> Hello,
> 
> I had sent the original email to the nginx mailing list address a week ago.
> But I don't see it on the March 2024 archives page -
> https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start. I
> am wondering if that's the case because I was not subscribed to the mailing
> list at the time of sending the email (I have subscribed just now) or if
> it's stuck in moderation.
> 
> Appreciate any help.
> 
> Thanks,
> Vineet
> 
> On Mon, 4 Mar 2024 at 11:52, Vineet Naik <naikvin at gmail.com> wrote:
> 
> > Hello,
> >
> > I am using the auth_request module to restrict access to static files at
> > location `/`. I noticed that when authentication is successful, the `/auth`
> > endpoint is receiving 2 requests for every request sent to nginx by the
> > client application. Interestingly, this only happens when the user is
> > logged in i.e. the `/auth` endpoint responds with 200 status code.
> > Otherwise, the auth endpoint is called only once. I have verified this by
> > logging every incoming request to `/auth` handler in the server
> > application.

It happens because of try_files.  The last try_files argument performs internal
redirect to the specified uri.  Internal redirect is almost like a new request.
While going through its phases, auth_request is processed again.

https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files

> > I can see that the internal subrequests made by nginx to the auth endpoint
> > are not being logged. Is there a way to enable logging for auth
> > subrequests? How do I investigate this further?

Yes, use 'log_subrequest on':

https://nginx.org/en/docs/http/ngx_http_core_module.html#log_subrequest

> > Nginx config for reference:
> >
> > server {
> >     listen       80;
> >     server_name  spapoc.local;
> >
> >     access_log  /var/log/nginx/spapoc.access.log  main;
> >
> >     location ~ ^/(login|logout) {
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001;
> >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >         proxy_set_header X-Forwarded-Proto $scheme;
> >         proxy_set_header X-Forwarded-Host $host;
> >         proxy_set_header X-Forwarded-Prefix /;
> >     }
> >
> >     location /xhr/ {
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001/;
> >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >         proxy_set_header X-Forwarded-Proto $scheme;
> >         proxy_set_header X-Forwarded-Host $host;
> >         proxy_set_header X-Forwarded-Prefix /;
> >     }
> >
> >     location = /favicon.ico {
> >         auth_request off;
> >         root /home/vmadmin/spa;
> >     }
> >
> >     location / {
> >         auth_request /auth;
> >         auth_request_set $auth_status $upstream_status;
> >         error_page 401 = @error401;
> >
> >         root   /home/vmadmin/spa;
> >         try_files $uri $uri/ /index.html;
> >     }
> >
> >     location = /auth {
> >         internal;
> >         auth_request off;
> >         proxy_pass http://127.0.0.1:5001;
> >         proxy_pass_request_body off;
> >         proxy_set_header        Content-Length "";
> >         proxy_set_header        X-Original-URI $request_uri;
> >     }
> >
> >     location @error401 {
> >         return 302 /login;
> >     }
> >
> >     #error_page  404              /404.html;
> >
> >     # redirect server error pages to the static page /50x.html
> >     #
> >     error_page   500 502 503 504  /50x.html;
> >     location = /50x.html {
> >         root   /usr/share/nginx/html;
> >     }
> > }
> >
> > --
> > Thanks,
> > Vineet
> >
> >
> 
> -- 
> ~ Vineet

> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

--
Roman Arutyunyan
V
Vineet
  • 11 Mar '24
Hi,

On Mon, 11 Mar 2024 at 19:07, Roman Arutyunyan <arut at nginx.com> wrote:

> Hi,
>
> On Mon, Mar 11, 2024 at 12:24:44PM +0530, Vineet Naik wrote:
> > Hello,
> >
> > I had sent the original email to the nginx mailing list address a week
> ago.
> > But I don't see it on the March 2024 archives page -
> > https://mailman.nginx.org/pipermail/nginx/2024-March/thread.html#start.
> I
> > am wondering if that's the case because I was not subscribed to the
> mailing
> > list at the time of sending the email (I have subscribed just now) or if
> > it's stuck in moderation.
> >
> > Appreciate any help.
> >
> > Thanks,
> > Vineet
> >
> > On Mon, 4 Mar 2024 at 11:52, Vineet Naik <naikvin at gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I am using the auth_request module to restrict access to static files
> at
> > > location `/`. I noticed that when authentication is successful, the
> `/auth`
> > > endpoint is receiving 2 requests for every request sent to nginx by the
> > > client application. Interestingly, this only happens when the user is
> > > logged in i.e. the `/auth` endpoint responds with 200 status code.
> > > Otherwise, the auth endpoint is called only once. I have verified this
> by
> > > logging every incoming request to `/auth` handler in the server
> > > application.
>
> It happens because of try_files.  The last try_files argument performs
> internal
> redirect to the specified uri.  Internal redirect is almost like a new
> request.
> While going through its phases, auth_request is processed again.
>
> https://nginx.org/en/docs/http/ngx_http_core_module.html#try_files

This is helpful. Thanks. I'll try tweaking the config and see if this can
be avoided.

>
>
> > > I can see that the internal subrequests made by nginx to the auth
> endpoint
> > > are not being logged. Is there a way to enable logging for auth
> > > subrequests? How do I investigate this further?
>
> Yes, use 'log_subrequest on':
>
> https://nginx.org/en/docs/http/ngx_http_core_module.html#log_subrequest
>
> > > Nginx config for reference:
> > >
> > > server {
> > >     listen       80;
> > >     server_name  spapoc.local;
> > >
> > >     access_log  /var/log/nginx/spapoc.access.log  main;
> > >
> > >     location ~ ^/(login|logout) {
> > >         auth_request off;
> > >         proxy_pass http://127.0.0.1:5001;
> > >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > >         proxy_set_header X-Forwarded-Proto $scheme;
> > >         proxy_set_header X-Forwarded-Host $host;
> > >         proxy_set_header X-Forwarded-Prefix /;
> > >     }
> > >
> > >     location /xhr/ {
> > >         auth_request off;
> > >         proxy_pass http://127.0.0.1:5001/;
> > >         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > >         proxy_set_header X-Forwarded-Proto $scheme;
> > >         proxy_set_header X-Forwarded-Host $host;
> > >         proxy_set_header X-Forwarded-Prefix /;
> > >     }
> > >
> > >     location = /favicon.ico {
> > >         auth_request off;
> > >         root /home/vmadmin/spa;
> > >     }
> > >
> > >     location / {
> > >         auth_request /auth;
> > >         auth_request_set $auth_status $upstream_status;
> > >         error_page 401 = @error401;
> > >
> > >         root   /home/vmadmin/spa;
> > >         try_files $uri $uri/ /index.html;
> > >     }
> > >
> > >     location = /auth {
> > >         internal;
> > >         auth_request off;
> > >         proxy_pass http://127.0.0.1:5001;
> > >         proxy_pass_request_body off;
> > >         proxy_set_header        Content-Length "";
> > >         proxy_set_header        X-Original-URI $request_uri;
> > >     }
> > >
> > >     location @error401 {
> > >         return 302 /login;
> > >     }
> > >
> > >     #error_page  404              /404.html;
> > >
> > >     # redirect server error pages to the static page /50x.html
> > >     #
> > >     error_page   500 502 503 504  /50x.html;
> > >     location = /50x.html {
> > >         root   /usr/share/nginx/html;
> > >     }
> > > }
> > >
> > > --
> > > Thanks,
> > > Vineet
> > >
> > >
> >
> > --
> > ~ Vineet
>
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
>
> --
> Roman Arutyunyan
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>

-- 
~ Vineet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240311/2b74195c/attachment.htm>
  • Page 1 of 1
Reply