Auth_request_set into variable and lua

aris · December 4, 2012, 11:19pm

Trying to get a header from an auth_request into a variable and use it
from
Lua with no luck. This was the simple example I tried.

  location = /auth {
       add_header    X-Boo    "Hello World";
       return 204;
    }

    location /test {
        auth_request /auth;
        auth_request_set $test $upstream_http_x_boo;
        add_header X-BooHoo $test;

        content_by_lua '
            ngx.say("(" .. ngx.var.test .. ")")
        ';
    }

Posted at Nginx Forum:

djczaski · December 5, 2012, 3:19am

Hello!

On Tue, Dec 4, 2012 at 2:18 PM, djczaski wrote:

Trying to get a header from an auth_request into a variable and use it from
Lua with no luck. This was the simple example I tried.

You’re making several mistakes. See the discussion below:

  location = /auth {
       add_header    X-Boo    "Hello World";

Mistake #1: The add_header directive from the standard ngx_headers
module has no effect on subrequests while your location /auth here is
accessed by a subrequest issued via the auth_request directive.

       return 204;
    }

    location /test {
        auth_request /auth;
        auth_request_set $test $upstream_http_x_boo;

Mistake #2: The $upstream_http_XXX variables are only meaningful when
the current location is configured by one of those Nginx upstream
modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your
current location, location /test, is not configured by any Nginx
upstream modules (neither ngx_auth_request nor ngx_lua are upstream
modules).

Mistake #3: The $upstream_http_XXX variables are only in effect for
the current request. It won’t inherit values from any other requests
including subrequests.

        add_header X-BooHoo $test;

        content_by_lua '
            ngx.say("(" .. ngx.var.test .. ")")
        ';
    }

BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.

Best regards,
-agentzh

djczaski · December 5, 2012, 4:37am

Thank you taking the time with your detailed response. I have some
comments below.

On Tue, Dec 4, 2012 at 9:19 PM, agentzh [email protected] wrote:

       add_header    X-Boo    "Hello World";

This was an attempt to make a simple example. The authentication
comes from a fastcgi process.

Mistake #2: The $upstream_http_XXX variables are only meaningful when
the current location is configured by one of those Nginx upstream
modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your
current location, location /test, is not configured by any Nginx
upstream modules (neither ngx_auth_request nor ngx_lua are upstream
modules).

The fastcgi process from /auth sets some headers which I need to
forward into parameters for a second fastcgi processes.

BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.

I was looking at nginx as a replacement of another web server in order
to improve performance on an embedded platform. Actually, I was able
to implement this through access_by_lua while I was having problems
and although it worked, performance was worse than using the fastcgi
authorizer on the other server. To improve performance, I could write
a module and I looked at using auth_pam however the pam conversation
on each request is extremely slow. It could be that all of this is
the wrong path. The basic requirement is user login with pam
authentication.

djczaski · December 5, 2012, 12:21pm

Hello!

On Tue, Dec 04, 2012 at 06:19:02PM -0800, agentzh wrote:

       add_header    X-Boo    "Hello World";
        auth_request_set $test $upstream_http_x_boo;
including subrequests.
The #2 and #3 are the reasons why the auth_request_set directive
exists: it allows to store variables specific to auth subrequest,
like $upstream_http_*, in variables of main request.

So the only valid problem in config is #1.

[…]

–
Maxim D.

djczaski · December 5, 2012, 5:01pm

agentzh Wrote:

  location = /auth {
        auth_request /auth;
the current request. It won’t inherit values from any other requests
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.

I confirmed mistake #1 was my problem. Thank you for the help. I
benchmarked both approaches:

1.0  Nginx 1.3.8 no auth
1.4  Nginx 1.3.8 auth_request_set
1.5  Nginx 1.3.8 access_by_lua

Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8.
Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was
shocking. Serving static files, Nginx was much faster than Lighttpd.

Posted at Nginx Forum:

djczaski · December 5, 2012, 3:28pm

agentzh Wrote:

  location = /auth {
        auth_request /auth;
the current request. It won’t inherit values from any other requests
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.

I confirmed mistake #1 was my problem. Thank you for the help. I
benchmarked both approaches:

1.0  Nginx 1.3.8 no auth
1.4  Nginx 1.3.8 auth_request_set
1.5  Nginx 1.3.8 access_by_lua

Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8.
Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was
shocking. Serving static files, Nginx was much faster than Lighttpd.

Posted at Nginx Forum:

djczaski · December 6, 2012, 4:02am

Hello!

On Tue, Dec 4, 2012 at 7:36 PM, djczaski wrote:

I was looking at nginx as a replacement of another web server in order
to improve performance on an embedded platform. Actually, I was able
to implement this through access_by_lua while I was having problems
and although it worked, performance was worse than using the fastcgi
authorizer on the other server.

How did you write your Lua code in access_by_lua? Are you using
blocking 3rd-party Lua libraries there?

Regards,
-agentzh

djczaski · December 6, 2012, 5:02am

Hello!

On Wed, Dec 5, 2012 at 7:33 PM, djczaski wrote:

No. Its basically:

local res = ngx.location.capture("/auth")
if res.status == 200 then
    ngx.var.test = res.headers["X-Boo"]
else
   ngx.exit(res.status)
end

It won’t help much in terms of performance. I thought you were using
Lua to implement an efficient nonblocking (if network I/O is involved)
authorizer and speeding it up with LuaJIT 2.0

Best regards,
-agentzh

djczaski · December 6, 2012, 4:34am

On Wed, Dec 5, 2012 at 10:02 PM, agentzh [email protected] wrote:

blocking 3rd-party Lua libraries there?
No. Its basically:

local res = ngx.location.capture("/auth")
if res.status == 200 then
    ngx.var.test = res.headers["X-Boo"]
else
   ngx.exit(res.status)
end