js_content + auth_request + proxy_pass = timeout

[drsm]

$ cat recaptcha.js 

function recaptcha(req, res) {
  res.return(204);
}

$ cat recaptcha.conf 
js_include conf.d/recaptcha.js;

server {
    listen 2121;
    server_name localhost;

    error_log  /var/log/nginx/recaptcha.error.log debug;
    access_log  /var/log/nginx/recaptcha.access.log main;

    location = /recaptcha {
        js_content recaptcha;
        #return 204;    
    }
}

server {
    listen 2323;
    server_name localhost;

    error_log  /var/log/nginx/recaptcha.error.log debug;
    access_log  /var/log/nginx/recaptcha.access.log main;

    location = /recaptcha {
        proxy_method GET;
        proxy_pass http://localhost:2121;
    }

    location = /test {
        auth_request /recaptcha;
        proxy_pass http://localhost:2424;
    }
}

server {
    listen 2424;
    server_name localhost;

    error_log  /var/log/nginx/recaptcha.error.log debug;
    access_log  /var/log/nginx/recaptcha.access.log main;

    location = /test {
        return 200 '{ "ok": true }';    
    }
}

$ curl -v -X POST http://localhost:2323/test --data-raw '{"login":"login", "password":"password"}' && echo
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 2323 (#0)
> POST /test HTTP/1.1
> Host: localhost:2323
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 40
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 40 out of 40 bytes
< HTTP/1.1 500 Internal Server Error
< Server: nginx/1.13.12
< Date: Mon, 07 May 2018 17:37:26 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: close
< 
<html>
<head><title>500 Internal Server Error</title></head>
<body bgcolor="white">
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx/1.13.12</center>
</body>
</html>
* Closing connection 0

$ tail -n 2 /var/log/nginx/recaptcha.error.log 
2018/05/07 20:37:26 [error] 4155#4155: *8 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "POST /test HTTP/1.1", subrequest: "/recaptcha", upstream: "http://127.0.0.1:2121/recaptcha", host: "localhost:2323"
2018/05/07 20:37:26 [error] 4155#4155: *8 auth request unexpected status: 504 while sending to client, client: 127.0.0.1, server: localhost, request: "POST /test HTTP/1.1", host: "localhost:2323"

[drsm]

it works with this change

    location = /recaptcha {
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_pass http://localhost:2121;
    }

but what if i need a request body...

[xeioex]

Hi, @drsm unfortunately, the timeout issue is not related to njs at all. It is the way auth_request module is written.

Talking about njs in the access phase: We are planning to add njs http access phase handler in the near future (similar to js_access in stream module http://nginx.org/ru/docs/stream/ngx_stream_js_module.html#js_access).

[drsm]

Hi, @xeioex, thank you for the answer! I've just found an explanation in the docs:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/

As the request body is discarded for authentication subrequests, you will need to set the proxy_pass_request_body directive to off and also set the Content-Length header to a null string:

I think it is good to note this also here: https://nginx.org/en/docs/http/ngx_http_auth_request_module.html

[maniLonkar]

@drsm Can you share the exact conf you used to get the response body with js_content

[drsm]

@maniLonkar

Please, create an issue and explain your problem there in details.