Puzzled by lua in an auth_request sub-request

replicnt6

I have a nginx/openresty-based proxy that uses the auth_request directive to authorize requests. If a request is not authorized, I use the error_page directive to specify a location block that will redirect the user to a login page.

I'm working on implementing the auth_request using lua for performance. I find that when the auth_request returns a 401, the error_page block gets invoke twice, once as part of the auth_request subrequest.

Here is a sample config that illustrates what I'm talking about. I've installed this config into the openresty docker container for testing.
`
server {
listen 80 default_server;
server_name _;

access_log  stderr;
error_log   stderr notice;

auth_request /_verify;

error_page 401 @auth_redirect;

location @auth_redirect2 {
    internal;
    auth_request off;

    proxy_pass http://localhost:8080;
}

location @auth_redirect {
    internal;
    auth_request off;
    set $nginx_phase '';

    content_by_lua_block {
        ngx.log(ngx.ERR, "--- auth_redirect Content phase ---")
        ngx.var.nginx_phase = "CONTENT"
    }
    rewrite_by_lua_block {
        ngx.log(ngx.ERR, "--- auth_redirect Rewrite phase ---")
        ngx.var.nginx_phase = "REWRITE"
    }
    access_by_lua_block {
        ngx.log(ngx.ERR, "--- auth_redirect Access phase ---")
        ngx.var.nginx_phase = "ACCESS"
    }
}


location = /_verify {
    internal;
    auth_request off;

    #return 401;
    content_by_lua_block {
      ngx.log(ngx.ERR, "--- _verify Content phase ---")
      ngx.exit(ngx.HTTP_UNAUTHORIZED)
    }
    rewrite_by_lua_block {
        ngx.log(ngx.ERR, "--- _verify Rewrite phase ---")
    }
    access_by_lua_block {
        ngx.log(ngx.ERR, "--- _verify Access phase ---")
    }
}

}

server {
listen 8080;
server_name _;

location = /_verify {
    content_by_lua_block {
        ngx.log(ngx.ERR, "--- _verify of localhost:8080. Why am I here!? ---")
    }
}
location = /_auth_redirect {
    return 302 https://www.cnn.com;
}

}
`
I have two locations blocks: @auth_redirect and @auth_redirect2. The first has lua code and the second does a proxy_pass to another port in another server block. If I use @auth_redirect2 it actually makes a _verify request to the 8080 server, which I don't think should ever happen, because the proxy_pass only appears in the @auth_redirect2 location block.

I'm clearly not understanding something about the model of either nginx's evaluation or the lua integration.

Any hints?

replicnt6

I neglected to include the logs produced by this example. Here they are:

*30 [lua] rewrite_by_lua(main.conf:50):2: --- _verify Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] content_by_lua(main.conf:47):2: --- _verify Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] rewrite_by_lua(main.conf:31):2: --- auth_redirect Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] content_by_lua(main.conf:27):2: --- auth_redirect Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] rewrite_by_lua(main.conf:31):2: --- auth_redirect Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"
*30 [lua] access_by_lua(main.conf:35):2: --- auth_redirect Access phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"
*30 [lua] content_by_lua(main.conf:27):2: --- auth_redirect Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"
*30 [lua] rewrite_by_lua(main.conf:50):2: --- _verify Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] content_by_lua(main.conf:47):2: --- _verify Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] rewrite_by_lua(main.conf:31):2: --- auth_redirect Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] content_by_lua(main.conf:27):2: --- auth_redirect Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", subrequest: "/_verify", host: "localhost"
*30 [lua] rewrite_by_lua(main.conf:31):2: --- auth_redirect Rewrite phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"
*30 [lua] access_by_lua(main.conf:35):2: --- auth_redirect Access phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"
*30 [lua] content_by_lua(main.conf:27):2: --- auth_redirect Content phase ---, client: 172.17.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost"

I am, in particular, puzzled by auth_redirect being called first as part of the /_verify subrequest.