-1

I have a scenario when server needs to do authorization request before an actual request. so, one request are served by 2 different services.

Nginx's location has to be handled by Auth-Service, and if the response status is 200 OK, then the request should be forwarded to the Feature-Service. Otherwise, if the response status 401 then this status should be replied to front-end.

upstream auth_service {
    server localhost:8180;
}
upstream feature_service {
    server localhost:8080;
}
location /authAndDo {
    # suggest here
}

Code snippet in nginscript will be also OK.

yvs
  • 507
  • 3
  • 19
  • 1
    The proper platform for asking server configuration questions is serverfault.com, not SO where it is off topic: "Questions on professional server, networking, or related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. " https://stackoverflow.com/help/on-topic – Rob Jun 16 '17 at 23:52
  • @Rob I suppose it involves nginscript programming. I think it's not possible to avoid scripting to make such a sequence for ngx loc. – yvs Jun 17 '17 at 10:58
  • 1
    Can you show us the code snippets of what you have tried so far and explain specifically what is not working correctly with those attempts? – takendarkk Jun 17 '17 at 11:44
  • 1
    @csm_dev I am curious about the best approach to solve the problem. I would not ask if i knew it. i can write the nginscript code, but maybe i should not do it but start to implement own nginx module or something else. – yvs Jun 17 '17 at 15:09
  • @yvs, could you please kindly see if my answer solve the problem, and, if so, accept the answer and/or award the bounty. If you do neither, at least half of the bounty will go to /dev/null. Thanks. P.S. FYI: I did +1 your Q. – cnst Jun 24 '17 at 18:36

2 Answers2

3

Specifically for this purpose, http://nginx.org/r/auth_request exists through http://nginx.org/docs/http/ngx_http_auth_request_module.html (not built by default).

It lets you put authentication, through a subrequest, into any location you want, effectively separating the authentication from the actual resource.

cnst
  • 25,870
  • 6
  • 90
  • 122
2

In general, such not possible from web server. 401 is a response at front end plus gives HTTP WWW-Authenticate response header. Develop web application according to need or edit 401 file. HTTP 401 has RFC specification. Users, browsers should understand the message. Nginx doc described how 401 will be handled.

Nginx community edition's auth_request will only process if the subrequest returns HTTP 200, else for 401 will not redirect more than to 401 by default, other headers will not be process the response to protect the application & the users. Nginx community edition not even support all features of HTTP/2. It can go worser.

Apache2 web server has full HTTP/2 support and custom 401 location in auth module and works only on few browsers. Few browsers allow Apache2 to do that perfectly. Others show fail to load page. On Stack Exchange networks's various subdomains peoples asked before for Apache2 to make it working for all the browsers.

Hardly you can redirect on Nginx :

error_page 401 /401.html;

location ~ (401.html)$ {
    alias /usr/share/nginx/html/$1;
}

Another way may be using reverse proxy with another server like peoples talking here on Github. I can not give warranty of failure of loading page.

Community
  • 1
  • 1
Abhishek Ghosh
  • 1,161
  • 9
  • 19