NGINX Authentication Based on Subrequest Result
Hi, I am solving a problem with authentication based on the result of a sub-request in nginx.
´´´
server {
listen 80 default_server;
listen [::]:80 default_server;
Servername ;
root {{{.DocumentRoot}};
location / {
root {{{.DocumentRoot}}/web;
index index.html index.php;
#use this for a nice url
try_files $uri /$uri /index.html /index.php$is_args$args;
}
location /dist {
auth_request /auth;
#Error
error_page 401 = @auth_401_error;
error_page 403 = @auth_403_error;
error_page 404 = @auth_404_error;
error_page 500 = @auth_500_error;
error_page 502 = @auth_502_error;
try_files $uri $uri/ /index.php?$query_string; } location = /auth { internal; proxy_pass https://example.com/api/auth; proxy_method POST; proxy_set_header Accept "application/json"; proxy_set_header X-Original-URI $request_uri; proxy_set_header Content-Length ""; proxyredirect off; } ´´´ The call keeps returning me intrarnal error 500 instead of 401 nginx: 2024/12/09 09:14:10 [error] 686#686: *23 auth request unexpected status: 301 while sending to client, client: 10.3.132.4, server: , request: "GET /dist HTTP/1.1", host: "phpnginx0.xxx.zerops.app"
try_files $uri $uri/ /index.php?$query_string; } location = /auth { internal; proxy_pass https://example.com/api/auth; proxy_method POST; proxy_set_header Accept "application/json"; proxy_set_header X-Original-URI $request_uri; proxy_set_header Content-Length ""; proxyredirect off; } ´´´ The call keeps returning me intrarnal error 500 instead of 401 nginx: 2024/12/09 09:14:10 [error] 686#686: *23 auth request unexpected status: 301 while sending to client, client: 10.3.132.4, server: , request: "GET /dist HTTP/1.1", host: "phpnginx0.xxx.zerops.app"
7 Replies
Hi, first I'd try to simplify it. If the auth service is in the same instance in zerops, there is no need to go through the public address, but use the internal hostname and http protocol.
I also think that it is not necessary to route the
/auth path through this nginx, but to set public http routing to route directly to the auth service.
https://docs.zerops.io/features/access#configure-public-http-routingZerops subdomain, custom domains & IP access | Zerops
Explore how you can work with subdomains, custom domains and ip access on Zerops.
Assuming of course that the auth service is in zerops 🙂
Unfortunately the service is running on a third party server
Okay, so that's a different story.
And if you try to simulate reuqest via
curl from container, does everything work?Also returns 301
curl -I -X POST https://example.com/api/auth
´´´
HTTP/2 301
server: nginx
date: Mon, 09 Dec 2024 09:27:18 GMT
content-type: text/html; charset=iso-8859-1
content-length: 245
´´´
Postman answers correctly on request
In this case, nginx must follow the redirection based on the returned headers.
Maybe something like this might help.
https://serverfault.com/questions/423265/how-to-follow-http-redirects-inside-nginx
Server Fault
How to follow HTTP redirects inside nginx?
I have an nginx-based HTTP proxy and I would like to process all HTTP redirects inside it so that clients get only the last response in the redirect chain.
The basic code looks like:
location /pr...