Welcome! Log In Create A New Profile

Advanced

auth_request + php-fpm + POST request

April 11, 2015 09:21AM
Hi,

I'm using the auth_request module to enable custom (2fa) authentication to protect my whole website, no matter the various applications I host on this website. So the auth_request directive is set at the "server" level.

The authentication subrequest works fine, except for client POST requests where the php auth script holds forever until I get a timeout in the nginx error.log :
"*1 upstream timed out (110: Connection timed out) while reading response header from upstream"

It took me a while guessing why, but my guess is, from the debug trace I created, that the PHP script sees both a "content-length" and "content-type" in the HTTP headers, but the request body is not being sent to the auth scripts (there's no need anyway, all I need is the cookies).

I had to trick the config to make it work, and that's what I'm sharing here, but I'd like to know if there's a more "standard" way to deal with this.

My nginx.conf file is standard, and here is the bits from my "sites-available" config file:
-----------------------------------------------------------------------------------------
server {
listen 443;
server_name www.example.eu;

ssl on;
ssl_certificate /etc/nginx/ssl/www.exemple.eu.crt;
ssl_certificate_key /etc/nginx/ssl/www.exemple.eu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

root var/www/exemple.eu;
index index.php index.html index.htm;

auth_request /twofactorauth/auth/auth.php;

error_page 401 = @error401;

location @error401 {
return 302 $scheme://$host/twofactorauth/login/login.html;
}

location / {
try_files $uri $uri/ /index.html;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}

location = /twofactorauth/auth/auth.php {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi.conf;
fastcgi_param REQUEST_METHOD "GET";
}

location /twofactorauth/login/ {
auth_request off;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}
-----------------------------------------------------------------------------------------

See the trick ? The auth.php script is being forced a "GET" method even when the client used a POST request.

By the way, I didn't manage to get the whole auth_request config working using all the "proxy_pass" stuff. So I used a straight call to the auth.php script.

Any ideas are welcomed.
Cheers
Arno0x0x
Subject Author Posted

auth_request + php-fpm + POST request

Arno0x0x April 11, 2015 09:21AM

Re: auth_request + php-fpm + POST request

Maxim Dounin April 13, 2015 08:48AM

Re: auth_request + php-fpm + POST request

Arno0x0x April 13, 2015 09:42AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 56
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready