Opened 3 years ago
Last modified 3 years ago
#2294 closed defect
set $host url and auth_request failing on proxy_pass — at Version 1
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | documentation | Version: | 1.19.x |
Keywords: | Cc: | ||
uname -a: | Linux d12560761e0b 5.4.0-1057-gcp #61~18.04.1-Ubuntu SMP Thu Oct 28 04:16:28 UTC 2021 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.21.4
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1k 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.4/debian/debuild-base/nginx-1.21.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description (last modified by )
I'm trying to implement an auth_request call for an upstream host that is not guaranteed to be running.
My understanding is that, when calling proxy_pass, using set $foo some.service for an upstream host is the proper way to prevent nginx from throwing an error at boot, and properly resolving the IP address.
In isolation this pattern works fine:
location /happy/ {
set $a_endpoint http://my_service/;
proxy_pass $a_endpoint;
}
The above allows $a_endpoint to:
- It does not require the upstream host to be running when nginx starts
- It dynamically update the IP address for the associated my_service.
I've tried to pair this with an auth_request and I see failing results
location /protected/ {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
set $a_endpoint http://my_service/;
proxy_pass $a_endpoint;
}
This first results is a 202 from the oauth API.
The second result is a 404 from the oauth API.
The second call is, in fact, being proxy_passed to the URL defined in auth_request? why...
I've verified that the second call is going to oauth instead of my_service in both debug nginx logs and wireshark.