Opened 4 years ago

Closed 4 years ago

#2051 closed defect (invalid)

Issue with auth_request directive

Reported by: marrcow@… Owned by:
Priority: major Milestone: nginx-1.19
Component: nginx-module Version: 1.19.x
Keywords: auth_request Cc: marrcow@…
uname -a: Linux 78df63f5fdf1 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.1/debian/debuild-base/nginx-1.19.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'



I have a variable $host_header defined in both places: on a server level and in a location block. My proxy_set_header Host $host_header directive is located inside the server section. When I make a request to this location, everything works as expected. The value of the Host header is taken from the location's $host_header variable. However, when I add the auth_request directive to my location section, the proxy_pass goes with the Host header taken from the server level. So, the $host_header variable defined in a location is skipped.

Here is the example code:

server {
listen 80;

server_name "local.main.server";
set $host_header "server level";

proxy_set_header Host $host_header;

location /test {
    auth_request /auth;

    set $host_header "location level";

    proxy_pass http://test-nginx;

location = /auth {

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;

    # this simply returns 200
    proxy_pass http://test-nginx;

Change History (1)

comment:1 by Maxim Dounin, 4 years ago

Resolution: invalid
Status: newclosed

The observed behaviour is expected. As per the rewrite module documentation, rewrite directives, including set, are executed when nginx is looking for appropriate configuration for the request. And hence subrequests share variables with the main request, set in the subrequest overwrite the variable.

That is, something like this happens in your cofiguration:

  1. For the main request, set $host_header "server level"; happens at the server level, so $host_header is set to server level.
  2. The location /test is selected, and $host_header is set to location level.
  3. A subrequest to /auth is created for the auth_request /auth;.
  4. For the subrequest, set $host_header "server level"; happens at the server level, so $host_header is set to server level.
  5. Once subrequest ends, the main request is proxied to the upstream server, using the current value of the $host_header variable - that is, the one set in the subrequest.

Reconsider your configuration.

Note: See TracTickets for help on using tickets.