Opened 12 months ago

Last modified 11 months ago

#2294 closed defect

set $host url and auth_request failing on proxy_pass — at Initial Version

Reported by: jack.pienso.com@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.19.x
Keywords: Cc:
uname -a: Linux d12560761e0b 5.4.0-1057-gcp #61~18.04.1-Ubuntu SMP Thu Oct 28 04:16:28 UTC 2021 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.4
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.4/debian/debuild-base/nginx-1.21.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

I'm trying to implement an auth_request call for an upstream host that is not guaranteed to be running.

My understanding is that, when calling proxy_pass, using set $foo some.service for an upstream host is the proper way to prevent nginx from throwing an error at boot, and properly resolving the IP address.

In isolation this pattern works fine:

location /happy/ {

set $a_endpoint http://my_service/;
proxy_pass $a_endpoint;

}

The above allows $a_endpoint to:

  1. Does not require the upstream host to be running when nginx starts
  2. Dynamically update the IP address for the associated my_service.

I've tried to pair this with an auth_request and I see failing results

location /protected/ {

auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;

set $a_endpoint http://my_service/;
proxy_pass $a_endpoint;

}

This first results is a 202 from the oauth API.

The second result is a 404 from the oauth API.

The second call is, in fact, being proxy_passed to the URL defined in auth_request? why...

I've verified that the second call is going to oauth instead of my_service in both debug nginx logs and wireshark.

Change History (0)

Note: See TracTickets for help on using tickets.