unit icon indicating copy to clipboard operation
unit copied to clipboard

Published 20 hours ago verified publisher icon nginx

[Feature request] Support NGINX's `auth_request` directly in Unit

Open lolgab opened this issue 2 years ago • 5 comments

Can Unit support something like NGINX's auth_request without the need of running Unit behind a NGINX reverse proxy? Thank you!

lolgab avatar May 22 '22 14:05 lolgab

Hi @lolgab. At the moment, there is no nativ implementation of auth_request but I a little python helper app would do the trick. Is that an option? If so we could use this thread to discuss the options you have.

tippexs avatar May 23 '22 06:05 tippexs

@tippexs Yes, that may also work. I will try this route and let's see how it goes :)

lolgab avatar May 23 '22 10:05 lolgab

I don't know if this is doable or even meaningful, but a mechanism to delegate the handling to a different application ( listening in a different port ) could make it faster to implement such use case. In the specific case of auth_request you get a request then you call the endpoint that contains the auth_request validation and then, if the validation endpoint returned a 200, you redirect the request to another application running on another port. This means that the request is sent via HTTP, serialized, and then sent to Unit itself which parses it again, and sends it to the target application. You could avoid one serialization and one deserialization if Unit could "redirect" the request directly to another application. This idea, while would allow a nice optimization, would also increase the API surface for Unit which might be not so desirable. An auth_request implementation in NGINX Unit itself could make sense in the future.

lolgab avatar May 24 '22 14:05 lolgab

Thanks for sharing your idea. The most simple idea would be a implemenation with Cookies and the use of our routing matches. Another - more powerful - implemenation could be made by the use of njs. We have a beta version available using NJS on Unit. We could try to make it work with njs on unit. Whats the best use case? APIs or a real website in which we can add cookies for example?

tippexs avatar May 27 '22 07:05 tippexs

Sorry, I forgot to mention my specific use case! I want to delegate authentication to vouch-proxy, a microservice that handles authentication using the NGINX auth_request protocol. It is nice since you can centralize the authentication to multiple applications running in the same Unit. I haven't tried yet, but since it is written in Go, it might run in Unit as well.

lolgab avatar May 27 '22 08:05 lolgab