Auth_request + php-fpm + POST request

Hi,

I’m using the auth_request module to enable custom (2fa) authentication
to
protect my whole website, no matter the various applications I host on
this
website. So the auth_request directive is set at the “server” level.

The authentication subrequest works fine, except for client POST
requests
where the php auth script holds forever until I get a timeout in the
nginx
error.log :
“*1 upstream timed out (110: Connection timed out) while reading
response
header from upstream”

It took me a while guessing why, but my guess is, from the debug trace I
created, that the PHP script sees both a “content-length” and
“content-type”
in the HTTP headers, but the request body is not being sent to the auth
scripts (there’s no need anyway, all I need is the cookies).

I had to trick the config to make it work, and that’s what I’m sharing
here,
but I’d like to know if there’s a more “standard” way to deal with this.

My nginx.conf file is standard, and here is the bits from my
“sites-available” config file:

server {
listen 443;
server_name www.example.eu;

ssl on;
ssl_certificate /etc/nginx/ssl/www.exemple.eu.crt;
ssl_certificate_key /etc/nginx/ssl/www.exemple.eu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘AES256+EECDH:AES256+EDH’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

root var/www/exemple.eu;
index index.php index.html index.htm;

auth_request /twofactorauth/auth/auth.php;

error_page 401 = @error401;

location @error401 {
return 302 $scheme://$host/twofactorauth/login/login.html;
}

location / {
try_files $uri $uri/ /index.html;
}

location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}

location = /twofactorauth/auth/auth.php {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi.conf;
fastcgi_param REQUEST_METHOD “GET”;
}

location /twofactorauth/login/ {
auth_request off;
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}

See the trick ? The auth.php script is being forced a “GET” method even
when
the client used a POST request.

By the way, I didn’t manage to get the whole auth_request config working
using all the “proxy_pass” stuff. So I used a straight call to the
auth.php
script.

Any ideas are welcomed.
Cheers
Arno0x0x

Posted at Nginx Forum:

Hello!

On Sat, Apr 11, 2015 at 09:21:30AM -0400, Arno0x0x wrote:

header from upstream"

It took me a while guessing why, but my guess is, from the debug trace I
created, that the PHP script sees both a “content-length” and “content-type”
in the HTTP headers, but the request body is not being sent to the auth
scripts (there’s no need anyway, all I need is the cookies).

I had to trick the config to make it work, and that’s what I’m sharing here,
but I’d like to know if there’s a more “standard” way to deal with this.

The recommended way can be seen in the example configuration in the
documentation:

location = /auth {
    proxy_pass ...
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

Similar approach should work for fastcgi too, but you’ll have
to avoid sending the CONTENT_LENGTH fastcgi param instead of the
Content-Length header.

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

–
Maxim D.
http://nginx.org/

Hi Maxim,

Thanks for your answer. I’ll rather do as you said rather than changing
the
method from POST to GET.

As per your recommended example, I never managed to make it work
(proxy_pass
stuff): I went into some resolver issue, and then into some infinite
loop on
internal requests. So I gave up.

Regards,
Arno0x0x

Posted at Nginx Forum: