I'm currently looking to extend the 'Auth Request' (http://mdounin.ru/hg/ngx_http_auth_request_module/) Nginx add-on module and have the module be able to conform (at least wherever possible) to the FastCGI "Authorizer" specification. The full specification is at http://www.fastcgi.com/drupal/node/22#S6.3 - the idea being the configured authorizer should be hit with a sub-request, and if a 200 is returned, then access allowed, with some manipulation of special headers. This is fine and I've successfully written extended the existing auth-request code.
However, for any other response aside from 200, the Authorizer specification states that the server must send the response status, headers, and content back to the HTTP client. In my specific FastCGI authorizer, it sends various 301/302 redirects to do single sign on. This is where I've gotten stuck.
So far, within the ngx_http_auth_request_handler function, I've managed to have this mostly working using this:
ngx_http_request_t *sr;
...
if (authorizer) {
sr = ctx->subrequest;
r->headers_out = sr->headers_out;
return ctx->status;
}
which results in sending the subrequest's headers and status back to the client. I'm unsure if this is sensible in replacing headers in this fashion - eg performance or memory wise - so could some please comment on this? It does work though.
However, all that said, the subrequest's response body is the missing piece of the puzzle. I did figure out that the ``sr`` above defaults to ``sr->header_only = 1``, so it is ignoring the response body. However, turning this off results in the subrequest returning the body response to the client before main response headers can be sent -- exactly as per the discussion here: http://forum.nginx.org/read.php?2,222427,222543 . Curiously, only the sub-request response body is sent to the client, not the headers as well. If this behaviour for the subrequest could be changed to send its headers as well, then this would solve my problem.
One way or another, I'd like to get the subrequest's response to the client as the whole response. Is this possible, and if so, how?
Thanks in advance!
-- David