Nginx http auth module query

Server NGINX
1

Hi,

I have the following use case -

I have nginx running at port 80 and a php hiphop server running at 4247.
I want to achieve the following configuration -

Whenever a request is received at nginx port 80, it should be sent to
some auth_url (say auth.php) and if it is authorized then it should be
forwarded/proxied to hiphop server running at 4247. If not some error
page should be thrown.

I was looking through ngx_http_auth_request_module and other inbuilt
modules. But I have the following doubts -

  1. What could the possible config look like where both
    ngx_http_auth_request_module and proxy_pass are included?
  2. For my auth.php, what should it return true/false or something else?

Thanks,
Karan

Posted at Nginx Forum:

2

On 17 Fev 2012 03h49 WET, [email protected] wrote:

some error page should be thrown.
Karan
Schematically:

location /index.php {
error_page 401 403 /not_authorized.html;
auth_request /auth.php;
proxy_pass http://hiphop:4247;
}

location = /auth.php {

FCGI stuff or whatever PHP CGI you’re using.

auth.php should return 401 or 403 when auth process fails, return

200 otherwise

}

— appa

3

Thanks for the response.

For this -

location /index.php {
error_page 401 403 /not_authorized.html;
auth_request /auth.php;
proxy_pass http://hiphop:4247;
}

Does it mean that auth.php should be available via the url -
http://hiphop:4247/auth.php ?

location = /auth.php {

FCGI stuff or whatever PHP CGI you’re using.

auth.php should return 401 or 403 when auth process fails, return

200 otherwise

}

Does it enter this section after it gets 2xx response from auth.php?

Posted at Nginx Forum:

4

Thanks it works !

Posted at Nginx Forum:

5

One additional question here -

In this as I understand it redirects to error_page on receiving a 4xx
status code. Is it possible that nginx reads the value of error page
from a custom header which comes along with the response (with 4xx
status code) and then assign the value of error_page to that value.

Posted at Nginx Forum:

6

Hello!

On Fri, Feb 17, 2012 at 03:57:50AM -0500, karanj wrote:

One additional question here -

In this as I understand it redirects to error_page on receiving a 4xx
status code. Is it possible that nginx reads the value of error page
from a custom header which comes along with the response (with 4xx
status code) and then assign the value of error_page to that value.

You may use use auth_request_set to make headers available as
variables in main request.

See docs here:

http://mdounin.ru/hg/ngx_http_auth_request_module/file/tip/README#l23

Sample usage may be seen in tests here:

http://mdounin.ru/hg/ngx_http_auth_request_module/file/tip/t/auth-request-set.t

Maxim D.

7

It doesn’t work for me.

I have 3 files running under HipHop -

  1. /tf/test.php - This file sets the session variable -
    $_SESSION[‘X-ErrorPage’]=‘/tf2/test.php’;
    and then sends header(“HTTP/1.1 401 Unauthorized”);
  2. /tf2/test2.php - This prints “It works”
  3. /tf2/test.php - This prints “Error Page”

My config looks like this -
The output on running http://112.11.23.221:8080/tf2/test2.php should be

  • “Error Page”. But this is not happening.

The nginx error logs shows the following -

2012/02/17 18:52:45 [error] 10103#0: *4 the rewritten URI has a zero
length, client: 122.179.93.88, server: 112.11.23.221, request: “GET
/tf2/test2.php HTTP/1.1”, host: “112.11.23.221:8080”

server {
listen 8080;
server_name 112.11.23.221;

    location / {
            auth_request /tf/test.php;
            proxy_pass      http://127.0.0.1:4247;
            error_page  401 = /40x.html;
    }
    location /tf/test.php{
            proxy_pass      http://127.0.0.1:4247;
    }

    location = /40x.html {
            auth_request_set $err $upstream_http_x_errorpage;
            rewrite /40x.html $err;
            proxy_pass      http://127.0.0.1:4247;
    }
}

Posted at Nginx Forum:

8

On 17 Fev 2012 04h08 WET, [email protected] wrote:

Does it mean that auth.php should be available via the url -
http://hiphop:4247/auth.php ?

You must create a location that overrides the “default” PHP
handling location.

location = /auth.php {

FCGI stuff or whatever PHP CGI you’re using.

auth.php should return 401 or 403 when auth process fails, return

200 otherwise

}

location = /auth.php {
proxy_pass_request_body off;
proxy_set_header Content-Length ‘’;
proxy_set_header X-Original-URI $request_uri;
proxy_pass http://hiphop:4247;
}

Note that the auth_request module only uses the headers. So your
auth.php authorization script must take that into account.

Does it enter this section after it gets 2xx response from auth.php?

When the /auth.php location returns 200 then the request is
authorized and the request is proxy passed to the hiphop upstream in
the index.php location from the above example.

— appa

9

One correction -
/tf/test.php - This file sets the header - header(‘X-ErrorPage:
/tf2/test.php’);
and then sends header(“HTTP/1.1 401 Unauthorized”);

Posted at Nginx Forum:

10

That worked. Awesome and thanks a lot !


Karan

Posted at Nginx Forum:

11

Hello!

On Fri, Feb 17, 2012 at 08:30:33AM -0500, karanj wrote:

The output on running http://112.11.23.221:8080/tf2/test2.php should be
server_name 112.11.23.221;
location = /40x.html {
auth_request_set $err $upstream_http_x_errorpage;
rewrite /40x.html $err;
proxy_pass http://127.0.0.1:4247;
}
}

You have to use auth_request_set in the same location with
auth_request directive.

location / {
    auth_request /tf/test.php;
    auth_request_set $err $upstream_http_x_errorpage;
    ...
}

...

Maxim D.