Why must we read the request body before doing a subrequest using OpenResty / nginx lua?

Question

We are partly delegating nginx access control to a separate service, and we use access_by_lua_file and lua-resty-hawk and subrequests to do the authentication of the request.

The docs say:

You should always read the request body (by either calling ngx.req.read_body or configuring lua_need_request_body on) before initiating a subrequest.

Originally we had missed this detail, things appeared to be working. I was trying to find more background information on this requirement but came up empty.

It would be nice to authorize the request before reading the body, since we may be able to terminate the connection early and prevent a kind of DoS attack if clients are just trying to upload all sorts of junk and fill our disk.

Why is this restriction in place?

Answer 1

Since no one answered this question I want to clarify the reason by just quoting the official documentation.

always_forward_body when set to true, the current (parent) request's request body will always be forwarded to the subrequest being created if the body option is not specified. The request body read by either ngx.req.read_body() or lua_need_request_body on will be directly forwarded to the subrequest without copying the whole request body data when creating the subrequest (no matter the request body data is buffered in memory buffers or temporary files). By default, this option is false and when the body option is not specified, the request body of the current (parent) request is only forwarded when the subrequest takes the PUT or POST request method.

To be short, if option body is not specified, the body of current request may be used so you need to read the request body first.

As you can see this is not compulsory, so things in your case appeared working.