skip to Main Content

I tried to configure auth sub request like this documentation

Client send request with authorization header to protected resource via nginx.
But when nginx send subrequest to check access, authorization header in subrequest is missed.

i tried to use this parameters in auth location:

proxy_set_header authorization $http_authorization;

But it didn’t get result.

2

Answers


  1. Chosen as BEST ANSWER

    The problem was with CORS requests. OPTIONS request didn't contain Authorization header. And auth service returned error.

    Solution:

    location /backend {
        auth_request                /auth;
        proxy_pass                  http://backend;
    }
    location /auth {
        if ($request_method = 'OPTIONS') {
            return 200;
        }
        proxy_pass                  http://auth;
    }
    

  2. Special nginx variables like $http_<name> are not shared with the subrequests (update: this is a wrong assumption, request headers actualy gets shared with the subrequests, see the update to the answer). That internal nginx subrequests API is very special thing, many modules that makes use of it do not even share variable containers between main request and subrequests. However the auth_request_module is some kind of exception, making possible a workaround using the intermediate variable:

    location /auth {
        proxy_set_header Authorization $main_auth;
        proxy_pass ...
    }
    location / {
        set $main_auth $http_authorization;
        auth_request /auth;
        ...
    }
    

    Ok, after testing this myself I can state a couple of facts.

    1. Authorization header (as well as other main request headers) gets added to the subrequest. However it can be redefined for the subrequest explicitly:

      location /auth {
          proxy_set_header Authorization "sub";
          proxy_pass ...
      }
      

      or removed from the subrequest completely:

      location /auth {
          proxy_set_header Authorization "";
          proxy_pass ...
      }
      
    2. Intermediate variable does work for passing data from main request to the subrequest made by auth_request_module:

      location /auth {
          proxy_set_header X-From $from;
          proxy_pass ...
      }
      location / {
          set $from "from-main";
          auth_request /auth;
          ...
      }
      

      An auth backend will receive the X-From: from-main HTTP header.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search