Hi, I'm trying to use the auth_request module in conjunction with the more_set_input_headers to automatically login my users into web apps. Basically, it works like this: 1. Users have some session cookie that authenticates them. 2. I have a PHP script (auth.php) that validates the cookie and returns their proper username as a response header. 3. Nginx calls auth.php with auth_request, and sets the username in a variable. 4. Nginx then calls the web app with a request header set to the correct username. 5. The web app reads the header, and logs the user in. This works, but strangely inconsistent. The issue is that when a user accesses the web app on /app/, it works (the request header is sent), but when the app is accesssed on /app/index.php, it never receives the header from nginx. I've created a mock configuration that reproduces the error. It doesn't matter if I use a browser or cURL; both give the same behavior. I thought it'd be a bit hard to view configuration files on a mailing list, so I've created a topic on ServerFault. Reply whichever way you like best. Topic is here: http://serverfault.com/questions/608625/inconsiste... Thanks a lot! This issue has kept me up for a few days now already.
on 2014-06-28 19:36
on 2014-07-01 00:53
Hello! On Sat, Jun 28, 2014 at 05:35:27PM +0000, email@example.com wrote: > 3. Nginx calls auth.php with auth_request, and sets the username in a > variable. > 4. Nginx then calls the web app with a request header set to the correct > username. > 5. The web app reads the header, and logs the user in. > > This works, but strangely inconsistent. The issue is that when a user > accesses the web app on /app/, it works (the request header is sent), but > when the app is accesssed on /app/index.php, it never receives the header > from nginx. This behaviour is likely due to the fact that "more_set_input_headers" handler is executed before access phase (where auth_request works), and hence only changes a request if it's internally redirected. Solution to the problem is to stop using "more_set_input_headers" (it's anyway very wrong, request headers shouldn't be changed) and use native "fastcgi_param" instead: fastcgi_param HTTP_X_TEST_HEADER $auth_header; > http://serverfault.com/questions/608625/inconsiste... Will link this answer there. -- Maxim Dounin http://nginx.org/