CODEWITHSUNDEEP
dockernginxreverse-proxyauth-request
AFMeirelles
AFMeirelles

Reputation: 419

nginx auth_request fails with 'upstream timed out'

I'm writing a simple reverse proxy to exchange a JWT for an API while connecting to a VOD service (livepeer). Testing on my machine, using docker.

But the request always hangs. Here's the nginx.conf:

events {
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log  /dev/stdout;
    error_log  /dev/stdout;

    server {

        listen 8080;

        server_name creators_proxy;

        location /api {
            auth_request /auth;
            proxy_set_header Authorization 'Bearer here_goes_the_key';
            proxy_pass https://livepeer.studio/api;
        }

        location = /auth {
            internal;
            proxy_pass here_goes_auth_url;
        }

        location = /auth2 {
            proxy_pass here_goes_auth_url;
        }
    }
}

and the dockerfile:

# Use the official NGINX image as a parent image
FROM nginx:latest

COPY nginx.conf /etc/nginx/nginx.conf

I build the container with docker run -d --name docker-nginx -p 8080:8080 -v ./nginx.conf:/etc/nginx/nginx.conf -d nginx_img

And call http://localhost:8080/api/asset/request-upload

The auth_url is from pipedream, to inspect the request going out. But the request never lands. I get:

upstream timed out (110: Connection timed out) while reading response header from upstream, client: 172.17.0.1, server: creators_proxy, request: "POST /api/asset/request-upload HTTP/1.1", subrequest: "/auth", upstream: "https://xx.xxx.xx.xx:443/auth", host: "localhost:8080"

What I've tried so far:

  1. curl'd the auth url from my machine (it works)
  2. curl'd the auth url from the docker instance (it works)
  3. Called location /auth2 to go directly to the auth_url (it works)
  4. Checked whether this nginx version has the auth_request module enabled (it has)
  5. Commented out the auth_requestin the /api location (doesn't hang)

Any ideas?

Upvotes: 3

Views: 336

Answers (1)

AFMeirelles
AFMeirelles

Reputation: 419

I was able to make it work by adding two directives to the /auth location:

location = /auth {
    internal;
    proxy_pass              http://auth-server;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

This comes from the docs where it's said that:

As the request body is discarded for authentication subrequests, you will need to set the proxy_pass_request_body directive to off and also set the Content-Length header to a null string

My mistake was to think the /auth location as being special because it was called from the auth_request module.

Upvotes: 4

Related Questions