Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#801 closed defect (invalid)

auth_request and PUT/POST problems

Reported by: florin.asavoaie@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.8.x
Keywords: Cc:
uname -a: Linux XXX 2.6.32-431.23.3.el6.x86_64 #1 SMP Wed Jul 16 06:12:23 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --add-module=/home/rpmbuild/rpmbuild/BUILD/naxsi-0.54rc3/naxsi_src --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_auth_request_module --with-http_geoip_module --with-file-aio --with-http_spdy_module --without-http_fastcgi_module --without-http_scgi_module --without-http_uwsgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

I have the following configuration:

location /myapp {
  auth_request /auth;
  proxy_pass http://some-upstream;
}

location = /auth {
  proxy_method GET;
  proxy_pass_request_body off;
  proxy_pass_request_headers off;
  if ($cookie_auth) {
    set $app_auth "Token $cookie_auth";
  }
  if ($http_authorize) {
    set $app_auth $http_authorize;
  }
  proxy_set_header Authorize $app_auth;
  proxy_set_header Host $host;
  proxy_set_header Content-Length "";
  proxy_cache proxyCacheAuth;
  proxy_cache_key $remote_addr$host$app_auth;
  proxy_cache_valid any 15m;
  proxy_pass http://authupstream/random/url;
}

For some reasons, the subrequest for auth_request is being done and cached correctly and everything works fine with normal GET requests. However, when there is a POST or PUT request with some body, after the subrequest finishes, there is no request made to the upstream of the first location.

Attachments (1)

debuglog.txt (9.9 KB) - added by florin.asavoaie@… 3 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 3 years ago by mdounin

The configuration snippet you've provided works fine here, and we also have automated tests to check auth_request against POST requests with bodies. The problem you are seeing may be related to some edge case or may be introduced by 3rd party modules you are using.

Please try to reproduce the problem without any 3rd party modules / patches. If you'll be able to, please provide a debug log with a failed request.

Changed 3 years ago by florin.asavoaie@…

comment:2 Changed 3 years ago by florin.asavoaie@…

I added the debug log. What I think that is strange in it is that, at least to my understanding, it tries to continue the main request even if it gets something other than 200 as HTTP code on the subrequest. What I can tell is that any POST/PUT request hangs no matter what the subrequest response is.

The only module we have compiled in is naxsi but it is not enabled for those locations. The debug log does not say anything about trying to call it either. We'll make a rebuild of nginx without that module in a bit and see if anything changes.

comment:3 Changed 3 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

From the debug log it looks like a 3rd party module have read a request body in the rewrite phase (not something normally done, the body is expected to be read only at content phase), and failed to properly restore request handlers after this. That is, it's a naxsi bug.

comment:4 Changed 3 years ago by florin.asavoaie@…

You are totally right, I can see it now. Thank you for your effort.

Note: See TracTickets for help on using tickets.