Mistake #1: The add_header directive from the standard ngx_headers
module has no effect on subrequests while your location /auth here is
accessed by a subrequest issued via the auth_request directive.
Mistake #2: The $upstream_http_XXX variables are only meaningful when
the current location is configured by one of those Nginx upstream
modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your
current location, location /test, is not configured by any Nginx
upstream modules (neither ngx_auth_request nor ngx_lua are upstream
modules).
Mistake #3: The $upstream_http_XXX variables are only in effect for
the current request. It won’t inherit values from any other requests
including subrequests.
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.
This was an attempt to make a simple example. The authentication
comes from a fastcgi process.
Mistake #2: The $upstream_http_XXX variables are only meaningful when
the current location is configured by one of those Nginx upstream
modules like ngx_proxy, ngx_fastcgi, ngx_uwsgi, and etc. Here your
current location, location /test, is not configured by any Nginx
upstream modules (neither ngx_auth_request nor ngx_lua are upstream
modules).
The fastcgi process from /auth sets some headers which I need to
forward into parameters for a second fastcgi processes.
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.
I was looking at nginx as a replacement of another web server in order
to improve performance on an embedded platform. Actually, I was able
to implement this through access_by_lua while I was having problems
and although it worked, performance was worse than using the fastcgi
authorizer on the other server. To improve performance, I could write
a module and I looked at using auth_pam however the pam conversation
on each request is extremely slow. It could be that all of this is
the wrong path. The basic requirement is user login with pam
authentication.
including subrequests.
The #2 and #3 are the reasons why the auth_request_set directive
exists: it allows to store variables specific to auth subrequest,
like $upstream_http_*, in variables of main request.
the current request. It won’t inherit values from any other requests
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.
I confirmed mistake #1 was my problem. Thank you for the help. I
benchmarked both approaches:
Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8.
Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was
shocking. Serving static files, Nginx was much faster than Lighttpd.
the current request. It won’t inherit values from any other requests
BTW, I’m not sure what business requirements you’re trying to achieve
here but I think you can just use access_by_lua with
ngx.location.capture here in place of auth_request and you can inspect
the subrequest’s response headers easily in Lua.
I confirmed mistake #1 was my problem. Thank you for the help. I
benchmarked both approaches:
Interestingly, Nginx 1.3.9 seemed to be about 3% slower than 1.3.8.
Surprisingly, Nginx 1.3.8 was about 8% slower than Lighttpd, which was
shocking. Serving static files, Nginx was much faster than Lighttpd.
I was looking at nginx as a replacement of another web server in order
to improve performance on an embedded platform. Actually, I was able
to implement this through access_by_lua while I was having problems
and although it worked, performance was worse than using the fastcgi
authorizer on the other server.
How did you write your Lua code in access_by_lua? Are you using
blocking 3rd-party Lua libraries there?
local res = ngx.location.capture("/auth")
if res.status == 200 then
ngx.var.test = res.headers["X-Boo"]
else
ngx.exit(res.status)
end
It won’t help much in terms of performance. I thought you were using
Lua to implement an efficient nonblocking (if network I/O is involved)
authorizer and speeding it up with LuaJIT 2.0