Here is auth request module, it allows authorization based on
subrequest result. It works at access phase and therefore may be
nicely combined with other access modules (access, auth_basic) via
satisfy directive.
Here is auth request module, it allows authorization based on
subrequest result. It works at access phase and therefore may be
nicely combined with other access modules (access, auth_basic) via
satisfy directive.
This is really awesome!
But too sad the ngx_eval module can’t work in subrequests itself so I
can not combine this with ngx_eval + ngx_drizzle + ngx_rds_json to do
mysql-based auth
It’s mostly an issue in the ngx_eval, not your excellent
ngx_auth_request Our ngx_srcache module will also take advantage of
subrequests to do response caching.
For now, I’m using something like this for mysql-based login and it
works on my machine [1]:
location = /auth {
default_type ‘application/json’;
eval_subrequest_in_memory off;
eval $res {
set_quote_sql_str $user $arg_user;
set_quote_sql_str $pass $arg_pass;
set $sql ‘select count(*) res from users where name=$user
and passwd=$pass’;
drizzle_query $sql;
drizzle_pass backend;
rds_json on;
rds_json_content_type application/octet-stream;
}
if ($res ~ ‘“res”:1’) {
echo “Cool! you’re already logged in!”;
}
if ($res !~ ‘“res”:1’) {
return 403;
}
}
where the “backend” upstream name used in the drizzle_pass directive
is defined like this:
But too sad the ngx_eval module can’t work in subrequests itself so I
can not combine this with ngx_eval + ngx_drizzle + ngx_rds_json to do
mysql-based auth
It’s mostly an issue in the ngx_eval, not your excellent
ngx_auth_request
Accessing /bah gives the correct output (using the git HEAD of your
repos):
[baz]
But accessing /foo results in a segfault. Here’s the gdb output:
Program received signal SIGSEGV, Segmentation fault.
memcpy () at …/sysdeps/i386/i686/memcpy.S:100
100 …/sysdeps/i386/i686/memcpy.S: No such file or directory.
in …/sysdeps/i386/i686/memcpy.S
Current language: auto
The current source language is “auto; currently asm”.
(gdb) bt #0 memcpy () at …/sysdeps/i386/i686/memcpy.S:100 #1 0x0804fb6e in ngx_vslprintf (buf=0x3ffffafa <Address 0x3ffffafa
out of bounds>,
last=0xbffff3ac “\005”, fmt=0x80aaa1c “V?%V”", args=0xbffff3e4 “”)
at /usr/include/bits/string3.h:52 #2 0x0804be81 in ngx_log_error_core (level=805306387, log=0x80c6258,
err=527676,
fmt=0x64000000 <Address 0x64000000 out of bounds>) at
src/core/ngx_log.c:119 #3 0x88000075 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
By using ngx_echo module’s echo_location_async to issue the subrequest
gives identical segfault
I haven’t tracked deep into the source but at least the lines starting
from ngx_http_eval_module.c:141 don’t like subrequests’ contexts.
Sorry for the delay. I was in Hangzhou for other business in the last
few weeks
On Thu, Mar 11, 2010 at 12:04:14PM -0500, amvtek wrote:
Spassiba Maxim !
Can we consume request body both in :
/auth url
and the latter private url
Short answer: no
Long answer:
Currently request body isn’t read by auth request. In fact it
specially prevents this from happening, as an attempt to read
request body from subrequest will cause SIGSEGV - nginx doesn’t
expect this to happen.
Moreover, as of now request body may be used only once if it
doesn’t fit into memory, as first successful upstream request will
close temporary file used to buffer it. This may even cause
problems in nginx with official modules (e.g. ssi returned by
backend and ssi subrequests).
I’m not sure how to fix this properly. For now I tend to think
that only main request should be allowed to work with request body
and subrequest should always ignore it.
Thanks Maxim,
I think I get it now, request ‘body’ can be consumed at most one time,
this is a design decision which aims at protecting system ressources.
Best,
Marc
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.