Trying to get a header from an auth_request into a variable and use it
from
Lua with no luck. This was the simple example I tried.
location = /auth {
add_header X-Boo "Hello World";
return 204;
}
location /test {
auth_request /auth;
auth_request_set $test $upstream_http_x_boo;
add_header X-BooHoo $test;
content_by_lua '
ngx.say("(" .. ngx.var.test .. ")")
';
}
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233582,233582#msg-233582
on 2012-12-04 23:19
on 2012-12-05 03:19
Hello! On Tue, Dec 4, 2012 at 2:18 PM, djczaski wrote: > Trying to get a header from an auth_request into a variable and use it from > Lua with no luck. This was the simple example I tried. > You're making several mistakes. See the discussion below: > location = /auth { > add_header X-Boo "Hello World"; Mistake #1: The add_header directive from the standard ngx_headers module has no effect on subrequests while your location /auth here is accessed by a subrequest issued via the auth_request directive. > return 204; > } > > location /test { > auth_request /auth; > auth_request_set $test $upstream_http_x_boo; Mistake #2: The $upstream_http_XXX variables are only meaningful when the *current* location is configured by one of those Nginx upstream modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your current location, location /test, is not configured by any Nginx upstream modules (neither ngx_auth_request nor ngx_lua are upstream modules). Mistake #3: The $upstream_http_XXX variables are only in effect for the current request. It won't inherit values from any other requests including subrequests. > add_header X-BooHoo $test; > > content_by_lua ' > ngx.say("(" .. ngx.var.test .. ")") > '; > } > BTW, I'm not sure what business requirements you're trying to achieve here but I think you can just use access_by_lua with ngx.location.capture here in place of auth_request and you can inspect the subrequest's response headers easily in Lua. Best regards, -agentzh
on 2012-12-05 04:37
Thank you taking the time with your detailed response. I have some comments below. On Tue, Dec 4, 2012 at 9:19 PM, agentzh <agentzh@gmail.com> wrote: >> add_header X-Boo "Hello World"; This was an attempt to make a simple example. The authentication comes from a fastcgi process. > > Mistake #2: The $upstream_http_XXX variables are only meaningful when > the *current* location is configured by one of those Nginx upstream > modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your > current location, location /test, is not configured by any Nginx > upstream modules (neither ngx_auth_request nor ngx_lua are upstream > modules). The fastcgi process from /auth sets some headers which I need to forward into parameters for a second fastcgi processes. >> > > BTW, I'm not sure what business requirements you're trying to achieve > here but I think you can just use access_by_lua with > ngx.location.capture here in place of auth_request and you can inspect > the subrequest's response headers easily in Lua. I was looking at nginx as a replacement of another web server in order to improve performance on an embedded platform. Actually, I was able to implement this through access_by_lua while I was having problems and although it worked, performance was worse than using the fastcgi authorizer on the other server. To improve performance, I could write a module and I looked at using auth_pam however the pam conversation on each request is extremely slow. It could be that all of this is the wrong path. The basic requirement is user login with pam authentication.
on 2012-12-05 12:21
Hello! On Tue, Dec 04, 2012 at 06:19:02PM -0800, agentzh wrote: > > add_header X-Boo "Hello World"; > > auth_request_set $test $upstream_http_x_boo; > including subrequests. The #2 and #3 are the reasons why the auth_request_set directive exists: it allows to store variables specific to auth subrequest, like $upstream_http_*, in variables of main request. So the only valid problem in config is #1. [...] -- Maxim Dounin http://nginx.com/support.html
on 2012-12-05 15:28
agentzh Wrote: ------------------------------------------------------- > > location = /auth { > > auth_request /auth; > the current request. It won't inherit values from any other requests > BTW, I'm not sure what business requirements you're trying to achieve > here but I think you can just use access_by_lua with > ngx.location.capture here in place of auth_request and you can inspect > the subrequest's response headers easily in Lua. I confirmed mistake #1 was my problem. Thank you for the help. I benchmarked both approaches: 1.0 Nginx 1.3.8 no auth 1.4 Nginx 1.3.8 auth_request_set 1.5 Nginx 1.3.8 access_by_lua Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8. Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was shocking. Serving static files, Nginx was much faster than Lighttpd. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,233582,233601#msg-233601
on 2012-12-05 17:01
agentzh Wrote: ------------------------------------------------------- > > location = /auth { > > auth_request /auth; > the current request. It won't inherit values from any other requests > BTW, I'm not sure what business requirements you're trying to achieve > here but I think you can just use access_by_lua with > ngx.location.capture here in place of auth_request and you can inspect > the subrequest's response headers easily in Lua. I confirmed mistake #1 was my problem. Thank you for the help. I benchmarked both approaches: 1.0 Nginx 1.3.8 no auth 1.4 Nginx 1.3.8 auth_request_set 1.5 Nginx 1.3.8 access_by_lua Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8. Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was shocking. Serving static files, Nginx was much faster than Lighttpd. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,233582,233602#msg-233602
on 2012-12-06 04:02
Hello! On Tue, Dec 4, 2012 at 7:36 PM, djczaski wrote: > I was looking at nginx as a replacement of another web server in order > to improve performance on an embedded platform. Actually, I was able > to implement this through access_by_lua while I was having problems > and although it worked, performance was worse than using the fastcgi > authorizer on the other server. How did you write your Lua code in access_by_lua? Are you using blocking 3rd-party Lua libraries there? Regards, -agentzh
on 2012-12-06 04:34
On Wed, Dec 5, 2012 at 10:02 PM, agentzh <agentzh@gmail.com> wrote:
> blocking 3rd-party Lua libraries there?
No. Its basically:
local res = ngx.location.capture("/auth")
if res.status == 200 then
ngx.var.test = res.headers["X-Boo"]
else
ngx.exit(res.status)
end
on 2012-12-06 05:02
Hello! On Wed, Dec 5, 2012 at 7:33 PM, djczaski wrote: > > No. Its basically: > > local res = ngx.location.capture("/auth") > if res.status == 200 then > ngx.var.test = res.headers["X-Boo"] > else > ngx.exit(res.status) > end > It won't help much in terms of performance. I thought you were using Lua to implement an efficient nonblocking (if network I/O is involved) authorizer and speeding it up with LuaJIT 2.0 :) Best regards, -agentzh
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.