Previous Message Next Message
Forum List Message List New Topic Print View
W. Trevor King
October 25, 2014 12:28PM
The patch successfully passes through error codes, but I haven't been
able to find a way to distinguish between auth-endpoint errors and
errors from the authorized endpoint. For example, with:

location = /auth {
proxy_pass http://auth.example.com/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_read_timeout 5s;
proxy_intercept_errors on;
error_page 504 =504 @504-auth;
}

location / {
auth_request /auth;
auth_request_intercept_errors off;
proxy_pass http://api.example.com/;
}

location @504-auth {
return 504 "auth timeout";
}

I get the generic 504 error when either auth.example.com or
api.example.com times out. I expect this is due to the auth_request
handler stripping the response body from the auth request, with a flow
like:

1. Client requests /abc.
2. Nginx matches location /, and creates a sub-request for /auth.
3. Nginx matches location /auth, and sends a request to
auth.example.com.
4. auth.example.com times out, Nginx creates a default 504 response.
5. The /auth error_page catches the 504 and adjusts the response
body.
6. Nginx exits the /auth location, returning the adjusted 504 to the
auth_request handler.
7. ngx_http_auth_request_handler strips the response body.
8. Nginx notices that the 504 doesn't have a body, and attaches the
default body.
9. A 504 with the default body is returned to the client.

I'm still trying to work out what's actually going on so I can respond
with an auth-specific timeout message. However, I thought I'd send
the current patch as is (since it works for folks who don't need an
auth-specific messages and just want to pass through the error codes).
Do folks besides me want this feature? Can anyone give me hints on
auth-specific error messages?

Thanks,
Trevor

--
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[RFC] auth_request: Add auth_request_intercept_errors (on by default)

W. Trevor King 1992 October 25, 2014 12:24PM

Re: [RFC] auth_request: Add auth_request_intercept_errors (on by default)

W. Trevor King 695 October 25, 2014 12:28PM

Re: [RFC] auth_request: Add auth_request_intercept_errors (on by default)

Maxim Dounin 727 October 27, 2014 10:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 149
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready