auth_request with vhost conf files

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

auth_request with vhost conf files

zakirenish
After a few false starts I've got auth_request passing parameters to php-fpm
and my firebird database is allowing control of access to files in the
storage filing system. Somewhat defeats the "This is cool because no php is
touched for static content" and I have had to produce a slimline version of
the access control but it works well with the dynamic pages.

Problem is this is all working on a single site http setup and when I move
the setup to the target vhost domain I'm struggling to get this working with
the https live site.

        location /storage/attachments/ {
                root   /srv/website/domain/;
                auth_request     /authin;
                auth_request_set $auth_status $upstream_status;
        }

        location = /authin {
                internal;
                set $query '';
                if ($request_uri ~*
"\/storage\/attachments\/([0-9]+)\/([0-9]+)\/([A-Za-z.]+).*") {
                        set $query $2;
                }
                proxy_pass /auth/auth.php?content_id=$query;
                proxy_pass_request_body off;
                proxy_set_header Content-Length "";
                proxy_set_header X-Original-URI $request_uri;
        }

is working fine on the http setup,

I've tried
resolver 8.8.8.8;
proxy_pass https://indiastudycircle.org/auth/auth.php?content_id=$query;

But I'm not sure if $query is being set at all ... on the simple setup I can
see errors and that helped me set it all up, but on the vhost setup while I
can create php errors on the logs there is nothing for the auth processing?
Where do I head next?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287570,287570#msg-287570

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

zakirenish
Working ... the live .conf file had an extra block controlling the image
caching which overrides the auth block ... easy when you know how ...

The question now is do I have the right setup for proxy_pass

do need the
resolver 8.8.8.8;
proxy_pass https://indiastudycircle.org/auth/auth.php?content_id=$query; 

but is there another way of getting it to use a local link to the vhost
defined server?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287570,287572#msg-287572

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

Francis Daly
On Mon, Apr 06, 2020 at 08:35:58PM -0400, lsces wrote:

Hi there,

> The question now is do I have the right setup for proxy_pass
>
> do need the
> resolver 8.8.8.8;
> proxy_pass https://indiastudycircle.org/auth/auth.php?content_id=$query; 
>
> but is there another way of getting it to use a local link to the vhost
> defined server?

I'm not quite sure where "the thing that handles the /auth/auth.php
request" is running. "proxy_pass" is for "something other than this
server{} block", so if this "local link" is effectively remote, then
proxy_pass is probably good to use.

If you control the IP address of the proxy_pass'ed server, you could
define an "upstream" of that name, with the suitable "server" address; or
you could use the IP address directly here, and then use "proxy_ssl_name"
and/or "proxy_set_header" and friends, to ensure validation work as
it should.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

zakirenish
Francis Daly Wrote:

> > do need the
> > resolver 8.8.8.8;
> > proxy_pass
> https://indiastudycircle.org/auth/auth.php?content_id=$query; 
> >
> > but is there another way of getting it to use a local link to the
> vhost
> > defined server?
>
> I'm not quite sure where "the thing that handles the /auth/auth.php
> request" is running. "proxy_pass" is for "something other than this
> server{} block", so if this "local link" is effectively remote, then
> proxy_pass is probably good to use.

This is where I am struggling a bit ;) and is probably the real question.
The web side is handled by nginx, and the dynamic stuff by php-fpm, so I
need 'auth' to run an instance of php-fpm ... or at least that is where I
think I am ... except of cause auth is processing requests that would not
normally use php at all. So perhaps all I need to do is simply run it like a
php file? proxy_pass was working on the local test setups ... but using
'localhost' while the vhost system does not have a single 'localhost' ... I
just need to use the right root.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287570,287583#msg-287583

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

Francis Daly
On Wed, Apr 08, 2020 at 05:12:59AM -0400, lsces wrote:
> Francis Daly Wrote:

Hi there,

> > I'm not quite sure where "the thing that handles the /auth/auth.php
> > request" is running. "proxy_pass" is for "something other than this
> > server{} block", so if this "local link" is effectively remote, then
> > proxy_pass is probably good to use.
>
> This is where I am struggling a bit ;) and is probably the real question.
> The web side is handled by nginx, and the dynamic stuff by php-fpm, so I
> need 'auth' to run an instance of php-fpm

I think you are wondering if you should "fastcgi_pass php-fpm-service"
instead of "proxy_pass this-wb-service", and I suspect the answer is
"yes".

In nginx, you fastcgi_pass to a service and set some fastcgi_param
values that your fastcgi server cares about. In the "common" case,
that is based on the incoming request details and suitable variables
are already populated.

In this case, that may or may not happen, so you may need to set things
like SCRIPT_FILENAME manually -- I have not tested to see what is needed.


> proxy_pass was working on the local test setups ... but using
> 'localhost' while the vhost system does not have a single 'localhost' ... I
> just need to use the right root.

I don't understand what you mean there. The config you showed previously
had no "localhost" that I could see.

Possibly it does not matter now.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

zakirenish
Thanks Francis ...

Your prods have pointed me in the right direction.  My initial problem was
not being able to include a parameter in the auth_request and that is where
the examples brought up the proxy_pass 'solution' ... of cause what I was
missing is that the request for the images are already independent requests,
so there is no problem simply calling php-fpm directly.

The 'localhost' question is a red herring as php-fpm simply uses the correct
root while my proxy_pass setup was using the 'default' localhost settings
... I'm getting my head around the various twists and turns but finding
examples that cross the various boundaries is difficult. I will run a crib
sheet once I've tidied up what I do have, but my less than optimal setup is
working on three sites currently.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287570,287602#msg-287602

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_request with vhost conf files

Francis Daly
On Fri, Apr 10, 2020 at 05:55:40AM -0400, lsces wrote:

Hi there,

> Your prods have pointed me in the right direction.  My initial problem was
> not being able to include a parameter in the auth_request...

> ...setup is working on three sites currently.

Great that you got a solution that does what you need it to.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx