Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx auth_request handler accessing POST request body?

I'm using Nginx (version 1.9.9) as a reverse proxy to my backend server. It needs to perform authentication/authorization based on the contents of the POST requests. And I'm having trouble reading the POST request body in my auth_request handler. Here's what I got.

Nginx configuration (relevant part):

server {
    location / {
        auth_request /auth-proxy;
        proxy_pass http://backend/;
    }

    location = /auth-proxy {
        internal;
        proxy_pass http://auth-server/;
        proxy_pass_request_body on;
        proxy_no_cache "1";
    }
}

And in my auth-server code (Python 2.7), I try to read the request body like this:

class AuthHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def get_request_body(self):
        content_len = int(self.headers.getheader('content-length', 0))
        content = self.rfile.read(content_len)
        return content

I printed out the content_len and it had the correct value. However, the self.rfile.read() will simply hang. And eventually it will time out and returns "[Errno 32] Broken pipe".

This is how I posted test data to the server:

$ curl --data '12345678' localhost:1234

The above command hangs as well and eventually times out and prints "Closing connection 0".

Any obvious mistakes in what I'm doing?

Thanks much!

like image 348
yty Avatar asked Nov 17 '16 01:11

yty


1 Answers

The code of the nginx-auth-request-module is annotated at nginx.com. The module always replaces the POST body with an empty buffer.

In one of the tutorials, they explain the reason, stating:

As the request body is discarded for authentication subrequests, you will need to set the proxy_pass_request_body directive to off and also set the Content-Length header to a null string

The reason for this is that auth subrequests are sent at HTTP GET methods, not POST. Since GET has no body, the body is discarded. The only workaround with the existing module would be to pull the needed information from the request body and put it into an HTTP header that is passed to the auth service.

like image 193
JoshRivers Avatar answered Sep 24 '22 11:09

JoshRivers