Opened 9 years ago

Last modified 3 years ago

#761 new enhancement

The auth_request does not supports query string/arguments

Reported by: Owned by:
Priority: minor Milestone:
Component: nginx-module Version:
Keywords: auth, auth_request Cc:
uname -a:
nginx -V: nginx version: nginx/1.8.0 (i686-pc-linux-gnu)
built by gcc 4.6.2


Having in config:

auth_request /users/v1/auth?usergroup=devel;

The debug log from nginx shows:

2013/01/01 01:52:49 [notice] 1607#0: *125 "^/users/(.*)" matches "/users/v1/auth?usergroup=devel", client:, server: localhost, request: "GET /runner/v1/status HTTP/1.1", subrequest: "/users/v1/auth?usergroup=devel", host: ""
2013/01/01 01:52:49 [notice] 1607#0: *125 rewritten data: "/v1/auth?usergroup=devel", args: "", client:, server: localhost, request: "GET /runner/v1/status HTTP/1.1", subrequest: "/users/v1/auth?usergroup=devel", host: ""

The strace on upstream shows:

recv(6, "GET /v1/auth%3Fusergroup=devel H"..., 8192, 0) = 507

As it seen - the question mark separating path and query got urlencoded and whole query string became part of path.

Checking the code of auth_request seems that subrequest made w/o taking care of args - there is NULL passed.

Change History (4)

comment:1 by, 9 years ago


- nginx/patch/src/http/modules/ngx_http_auth_request_module.c -
index b4307be..f86e31c 100644
@@ -12,6 +12,7 @@
 typedef struct {
     ngx_str_t                 uri;
+    ngx_str_t                 args;
     ngx_array_t              *vars;
 } ngx_http_auth_request_conf_t;
@@ -186,7 +187,7 @@ ngx_http_auth_request_handler(ngx_http_request_t *r)
     ps->handler = ngx_http_auth_request_done;
     ps->data = ctx;
-    if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps,
+    if (ngx_http_subrequest(r, &arcf->uri, &arcf->args, &sr, ps,
         != NGX_OK)
@@ -328,6 +329,7 @@ ngx_http_auth_request_merge_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_http_auth_request_conf_t *conf = child;
     ngx_conf_merge_str_value(conf->uri, prev->uri, "");
+    ngx_conf_merge_str_value(conf->args, prev->args, "");
     ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
     return NGX_CONF_OK;
@@ -374,6 +376,7 @@ ngx_http_auth_request(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
     arcf->uri = value[1];
+    ngx_http_split_args(NULL, &arcf->uri, &arcf->args);
     return NGX_CONF_OK;

comment:2 by Maxim Dounin, 8 years ago

Type: defectenhancement

comment:3 by rickardp@…, 3 years ago

This problem is (still) occurring in 1.19.6. Is this by design and if so, how do I pass query parameters to an auth backend?

comment:4 by Maxim Dounin, 3 years ago

Is this by design and if so, how do I pass query parameters to an auth backend?

Yes, this is by design. Much like it doesn't support variables in the auth URI. Probably this will be improved one day, but this isn't something considered important (not even by the original reporter, who never tried to follow contribution guidelines).

If you want to pass some query parameters to the auth backend, you can do so by using rewrite, for example:

location /protected/ {
    auth_request /auth;
    proxy_pass http://protected-backend...

location = /auth {
    rewrite ^ /auth.php?foo=bar break;
    proxy_pass http://auth-backend;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
Note: See TracTickets for help on using tickets.