Opened 5 years ago
Closed 5 years ago
#2051 closed defect (invalid)
Issue with auth_request directive
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | nginx-1.19 |
| Component: | nginx-module | Version: | 1.19.x |
| Keywords: | auth_request | Cc: | marrcow@… |
| uname -a: | Linux 78df63f5fdf1 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.19.1
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.1/debian/debuild-base/nginx-1.19.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Hello,
Description:
I have a variable $host_header defined in both places: on a server level and in a location block. My proxy_set_header Host $host_header directive is located inside the server section. When I make a request to this location, everything works as expected. The value of the Host header is taken from the location's $host_header variable. However, when I add the auth_request directive to my location section, the proxy_pass goes with the Host header taken from the server level. So, the $host_header variable defined in a location is skipped.
Here is the example code:
server {
listen 80;
server_name "local.main.server";
set $host_header "server level";
proxy_set_header Host $host_header;
location /test {
auth_request /auth;
set $host_header "location level";
proxy_pass http://test-nginx;
}
location = /auth {
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
# this simply returns 200
proxy_pass http://test-nginx;
}
}
Note:
See TracTickets
for help on using tickets.
The observed behaviour is expected. As per the rewrite module documentation, rewrite directives, including
set, are executed when nginx is looking for appropriate configuration for the request. And hence subrequests share variables with the main request,setin the subrequest overwrite the variable.That is, something like this happens in your cofiguration:
set $host_header "server level";happens at the server level, so$host_headeris set toserver level./testis selected, and$host_headeris set tolocation level./authis created for theauth_request /auth;.set $host_header "server level";happens at the server level, so$host_headeris set toserver level.$host_headervariable - that is, the one set in the subrequest.Reconsider your configuration.