Hi,
I’m using the auth_request module to enable custom (2fa) authentication
to
protect my whole website, no matter the various applications I host on
this
website. So the auth_request directive is set at the “server” level.
The authentication subrequest works fine, except for client POST
requests
where the php auth script holds forever until I get a timeout in the
nginx
error.log :
“*1 upstream timed out (110: Connection timed out) while reading
response
header from upstream”
It took me a while guessing why, but my guess is, from the debug trace I
created, that the PHP script sees both a “content-length” and
“content-type”
in the HTTP headers, but the request body is not being sent to the auth
scripts (there’s no need anyway, all I need is the cookies).
I had to trick the config to make it work, and that’s what I’m sharing
here,
but I’d like to know if there’s a more “standard” way to deal with this.
My nginx.conf file is standard, and here is the bits from my
“sites-available” config file:
server {
listen 443;
server_name www.example.eu;
ssl on;
ssl_certificate /etc/nginx/ssl/www.exemple.eu.crt;
ssl_certificate_key /etc/nginx/ssl/www.exemple.eu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘AES256+EECDH:AES256+EDH’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
root var/www/exemple.eu;
index index.php index.html index.htm;
auth_request /twofactorauth/auth/auth.php;
error_page 401 = @error401;
location @error401 {
return 302 $scheme://$host/twofactorauth/login/login.html;
}
location / {
try_files $uri $uri/ /index.html;
}
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location = /twofactorauth/auth/auth.php {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi.conf;
fastcgi_param REQUEST_METHOD “GET”;
}
location /twofactorauth/login/ {
auth_request off;
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}
See the trick ? The auth.php script is being forced a “GET” method even
when
the client used a POST request.
By the way, I didn’t manage to get the whole auth_request config working
using all the “proxy_pass” stuff. So I used a straight call to the
auth.php
script.
Any ideas are welcomed.
Cheers
Arno0x0x
Posted at Nginx Forum: