5

I am trying to use the auth_request module to check whether a user is allowed to access a certain file. The user posts the request at /my/download/uri/<File ID>. I want the authorisation request to be posted at auth_service:9999/files/<File ID>. The relevant part of my config is as follows:

location /my/download/uri {
    auth_request /auth/files/$uri;
    alias /my/file/directory;
}
location /auth {
    internal;
    proxy_pass http://auth_service:9999/;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

The request is received by the authorisation service, but at literally /files/$uri; the variable is not placed. I have tried getting the URI ready via a set variable first, but to no avail. How can I get nginx to properly direct the authorisation request?

(Note: I am aware I can include the original request in the header of the authorisation request via X-Original-URI. However, this would mean I have to do additional processing of the full URI on the authorisation server to get the relevant data, which I would rather not do if there is a way to post the authorisation request to the correct URI in the first place.)

Wichilie
  • 117
  • 1
  • 8
  • Try to use `auth_request /auth;` and `proxy_pass http://auth_service:9999/files/$uri;` – Ivan Shatsky Apr 02 '20 at 10:28
  • @IvanShatsky Adding `$uri` to the `proxy_pass` in `/auth` causes nginx to give the following error: `[error] 6#6: *2 no resolver defined to resolve auth` – Wichilie Apr 02 '20 at 10:54
  • Forwarding `$uri` to the authorisation service via header and printing it reveals that it is `/auth`, not the file ID. It looks like `auth_request` ignores the current URI. – Wichilie Apr 02 '20 at 11:14
  • @Wichilie did you manage to get it working? having the same issue – StasKolodyuk Oct 26 '20 at 09:36
  • I've been trying to get this to work, and it seems the only way is `proxy_set_header X-Original-URI $request_uri;` and having the auth backend parse the query parameters as you are trying to avoid. It's annoying, but passing query parameters to auth_request isn't supported in nginx at this time. https://trac.nginx.org/nginx/ticket/761 – geckels1 Jun 10 '23 at 03:45

2 Answers2

0

You cant use variables in auth_request this is apparently a design choice for nginx https://trac.nginx.org/nginx/ticket/761 I came up with this through trial and error. I had trouble putting $uri in a variable, not sure why.

location ~ /my/download/uri/(.*) {
    set $key $1
    auth_request /auth;
    alias /my/file/directory;
}
location /auth {
    internal;
    proxy_pass http://auth_service:9999/$key;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}
1337cookie
  • 101
  • 2
  • It seems the solution is the same as https://stackoverflow.com/a/25865833/1663197 and shares the same concerns about the mutable variable across many requests. How does nginx handle this? – AleXoundOS Aug 15 '21 at 21:05
0

I use this way and it works for my case

location = /auth {
    internal;
    proxy_pass http://auth-server$request_uri;
}
Kiart Tantasi
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 22 '23 at 00:58