Limit_except strange by bug or design?

Micha_G · September 13, 2009, 9:08pm

I have a problem with the limit_except command. I try to offer a
public Mercurial-Repository with nginx as frontend. In short: GET is
allowed, POST needs authentification.

In my simple mind I thought this config would fit:

config
location /public/ {
limit_except GET {
auth_basic “Authenticate”;
auth_basic_user_file /var/hg/hg_user;
}

             set  $path_info      "";
             if ($fastcgi_script_name ~ "^(/.+)$") {
                     set  $path_info $1;
             }

             include        fastcgi_params;
             fastcgi_param  AUTH_USER          $remote_user;
             fastcgi_param  REMOTE_USER        $remote_user;
             fastcgi_param  SCRIPT_NAME "";
             fastcgi_param  PATH_INFO $path_info;
             fastcgi_pass   127.0.0.1:10040;
     }

/config

In praxis it ends with this situation: GET works as espected;
Trying POST ends with a timeout at clientside and this log at
serverside:

log
2009/09/11 11:07:39 [error] 21423#0: *361 “/var/hg/www/public/
repository/index.html” is not found (2:
No such file or directory), client: 213.170.191.78, server:
hg.domain.com, request: “POST /public/repository/?
cmd=unbundle&heads=3853d3bd894379d0bd69822fccdabf6b90cf53a3 HTTP/1.1”,
host: “hg.domain.com”
/log

the “…/index.html is not found” says to me that the fastcgi-part is
ignored. By intention or bug. Am I right?

What is the intention of this approach? Is there a better way of
solving this problem?

I am stumped

Micha

Micha_G · September 13, 2009, 10:55pm

Hello!

On Sun, Sep 13, 2009 at 08:54:37PM +0200, Micha G. wrote:

                   auth_basic_user_file  /var/hg/hg_user;
            fastcgi_param  SCRIPT_NAME "";
2009/09/11 11:07:39 [error] 21423#0: *361 “/var/hg/www/public/
repository/index.html” is not found (2:
No such file or directory), client: 213.170.191.78, server:
hg.domain.com, request: “POST /public/repository/?
cmd=unbundle&heads=3853d3bd894379d0bd69822fccdabf6b90cf53a3 HTTP/1.1”,
host: “hg.domain.com”
/log

the “…/index.html is not found” says to me that the fastcgi-part is
ignored. By intention or bug. Am I right?

Yes. Directive limit_except effectively creates another location
with separate configuration, and fastcgi_pass isn’t inherited
there.

For proxy_pass you should be able to do

location / {
    limit_except GET {
        auth_basic ...
        proxy_pass http://master-backend;
    }
    proxy_pass http://slave-backends;
}

It’s not allowed now for fastcgi_pass though. You should either
patch it by hand or use another aproach - e.g. just rewrite
non-GET/HEAD requests to another location with authentication
required.

Maxim D.