Does NGINX read auth_basic_user_file on every connection?

classic Classic list List threaded Threaded
2 messages Options
RA
Reply | Threaded
Open this post in threaded view
|

Does NGINX read auth_basic_user_file on every connection?

RA
Hi.

How does NGINX process auth_basic_user_file?

1) Does it read it in entirety on every connection?

2) Does it read it line by line on every connection and stops when a match is found?

3) Does it read it full on start and re-reads it only if the file is changed?

If its either 1 or 2, then is it not very inefficient to read a file on just every connection? If the file has fairly large number of entries (5-10mb), will it not affect the performance of web server in general? There should be some "indexed" approach to this.

Thanks.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Does NGINX read auth_basic_user_file on every connection?

Maxim Dounin
Hello!

On Thu, Sep 03, 2020 at 10:55:27AM +0530, RA wrote:

> How does NGINX process auth_basic_user_file?
>
> 1) Does it read it in entirety on every connection?

No.

> 2) Does it read it line by line on every connection and stops
> when a match is found?

No, though what nginx does is somewhat close.  It reads the user
file by using a fixed-size buffer, and then scans the buffer
contents to find lines.  As long as the user is found, it stops.  
See the code for further details.

> 3) Does it read it full on start and re-reads it only if the
> file is changed?

No.

> If its either 1 or 2, then is it not very inefficient to read a
> file on just every connection? If the file has fairly large
> number of entries (5-10mb), will it not affect the performance
> of web server in general? There should be some "indexed"
> approach to this.

Reading the user file is not generally a problem, since it is
cached by OS.  Unwise choice of the password hashing algorithm
usually have much larger impact on basic authentication and the
performane of the web server in general, since basic
authentication implies checking the password on each request.

On the other hand, using user files with fairly large number of
entries might not be a good idea either.  If you want to deploy
authentication in setups with many thousands of users, you may
want to use different authentication mechanism.  In particular,
you may plug your own, written in your favorite language, by using
the auth_request directive, see here for details:

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx