Opened 10 years ago
Last modified 4 years ago
#761 new enhancement
The auth_request does not supports query string/arguments
| Reported by: | rustler2000.livejournal.com | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | auth, auth_request | Cc: | |
| uname -a: | |||
| nginx -V: |
nginx version: nginx/1.8.0 (i686-pc-linux-gnu)
built by gcc 4.6.2 ... |
||
Description
Having in config:
auth_request /users/v1/auth?usergroup=devel;
The debug log from nginx shows:
2013/01/01 01:52:49 [notice] 1607#0: *125 "^/users/(.*)" matches "/users/v1/auth?usergroup=devel", client: 10.9.96.2, server: localhost, request: "GET /runner/v1/status HTTP/1.1", subrequest: "/users/v1/auth?usergroup=devel", host: "10.9.96.81" 2013/01/01 01:52:49 [notice] 1607#0: *125 rewritten data: "/v1/auth?usergroup=devel", args: "", client: 10.9.96.2, server: localhost, request: "GET /runner/v1/status HTTP/1.1", subrequest: "/users/v1/auth?usergroup=devel", host: "10.9.96.81"
The strace on upstream shows:
recv(6, "GET /v1/auth%3Fusergroup=devel H"..., 8192, 0) = 507
As it seen - the question mark separating path and query got urlencoded and whole query string became part of path.
Checking the code of auth_request seems that subrequest made w/o taking care of args - there is NULL passed.
Change History (4)
comment:1 by , 10 years ago
comment:2 by , 9 years ago
| Type: | defect → enhancement |
|---|
comment:3 by , 4 years ago
This problem is (still) occurring in 1.19.6. Is this by design and if so, how do I pass query parameters to an auth backend?
comment:4 by , 4 years ago
Is this by design and if so, how do I pass query parameters to an auth backend?
Yes, this is by design. Much like it doesn't support variables in the auth URI. Probably this will be improved one day, but this isn't something considered important (not even by the original reporter, who never tried to follow contribution guidelines).
If you want to pass some query parameters to the auth backend, you can do so by using rewrite, for example:
location /protected/ {
auth_request /auth;
proxy_pass http://protected-backend...
}
location = /auth {
rewrite ^ /auth.php?foo=bar break;
proxy_pass http://auth-backend;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
Fix:
- nginx/patch/src/http/modules/ngx_http_auth_request_module.c - index b4307be..f86e31c 100644 @@ -12,6 +12,7 @@ typedef struct { ngx_str_t uri; + ngx_str_t args; ngx_array_t *vars; } ngx_http_auth_request_conf_t; @@ -186,7 +187,7 @@ ngx_http_auth_request_handler(ngx_http_request_t *r) ps->handler = ngx_http_auth_request_done; ps->data = ctx; - if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps, + if (ngx_http_subrequest(r, &arcf->uri, &arcf->args, &sr, ps, NGX_HTTP_SUBREQUEST_WAITED) != NGX_OK) { @@ -328,6 +329,7 @@ ngx_http_auth_request_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_http_auth_request_conf_t *conf = child; ngx_conf_merge_str_value(conf->uri, prev->uri, ""); + ngx_conf_merge_str_value(conf->args, prev->args, ""); ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL); return NGX_CONF_OK; @@ -374,6 +376,7 @@ ngx_http_auth_request(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) } arcf->uri = value[1]; + ngx_http_split_args(NULL, &arcf->uri, &arcf->args); return NGX_CONF_OK; }}}}