3

when the backend proxy used in auth_request returns an error code different from 401 or 403, nginx is returning a 500 error code.

The ngx_http_auth_request_module module (1.5.4+) implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.

Is there a way to make nginx returns the status code from the backend and not 500 ?

jobou
  • 193
  • 1
  • 6
  • You can make it return a specific code inplace of another with something like this `error_page 502 503 504 =404;` does that help? – Drifter104 Oct 13 '16 at 10:35
  • @Drifter104 this is the fallback solution I put in place for now. But my backend can return 404, 400 and 401 error codes depending on some parameters. So with this solution I can only return one status code. – jobou Oct 13 '16 at 10:43

1 Answers1

1

I found a working solution. It uses the fact that auth_request will always return a 500 error code in case of a backend error different from 401 or 403 :

error_page 500 @process_backend_error;

location / {
    auth_request /auth
    auth_request_set $backend_status $upstream_status
}

location /auth {
    proxy_pass ...
}

location @process_backend_error {
    # here you have access to $backend_status which contains the returned status code from your autorization backend
}

Beware that the returned status code in $backend_status is a string.

jobou
  • 193
  • 1
  • 6
  • I'm getting `invalid number of arguments in "auth_request_set" directive` – blockloop Jan 11 '17 at 20:10
  • 2
    You should not : http://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request_set The documentation states that it needs 2 arguments. Maybe an issue that I did not put the semi colon at the end of each statement in my answer. – jobou Jan 12 '17 at 09:02