NGINX doesn't redirect on auth_request 302

Question

I have a NGINX reverse proxy also serving static content on / with following config

    location / {
        auth_request /authn;
        proxy_intercept_errors on;
        recursive_error_pages on;
        error_page 301 302 303 307 308 = @handle_redirect;
        gzip_static on;
        index   index.html;
        root /usr/share/nginx/html;
        try_files $uri $uri/ @index;
    }

    location /authn {

        set $target http://gateway:8030/authn;
        proxy_pass http://gateway:8030/authn;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_pass_request_headers on;
        proxy_intercept_errors on;
        recursive_error_pages on;
        error_page 301 302 303 307 308 @handle_redirect;
    }

    location @handle_redirect {
            proxy_set_header Host $host:$server_port;
            set $redirect_url $upstream_http_location;
            proxy_pass $redirect_url;
        }

The goal is to check the user in authenticated by subrequest to /authn endpoint, which will return 302 and Location header if user is not. But client gets 500 from NGINX with error log like

auth request unexpected status: 500 while sending to client

I also have a /root endpoint which poxy-passes directly to /authn gateway which correctly redirects to login page and authenticates client. I've tried instead of handling redirects in subrequests proxy-pass requests to this endpoint with setting

    location /root {
            set $target http://top-gateway:8030/authn;
            proxy_pass http://top-gateway:8030/authn;
        }

    location /authn {
        ...
        error_page 301 302 303 307 308 /root;

But in this case I get 500 and

auth request unexpected status: 302 while sending to client

in NGINX error.log

Why NGINX doesn't handle redirects correctly with this settings and how to correctly solve this?

Answer 1

Perhaps this is useful for you in order to know why it fails, maybe I am late but I found this thread finding to do something similar.

https://nginx-devel.nginx.narkive.com/0cH1MZv7/patch-allow-http-auth-request-module-to-forward-302-responses

The link shows a conversation between an Nginx developer and a user that was motivated to write a patch. It seems Nginx only support 2xx and 4xx codes for auth_request. But you could do something like this if you control the application as shown in that link.

location / {
  auth_request /auth;
  auth_request_set $auth_redirect $upstream_http_location;
  error_page 401 = /auth_redirect;
}

location /auth {
  proxy_pass http://auth_backend;
  ...
}

location /auth_redirect {
  return 302 $auth_redirect;
}

Also, It was useful for me to read this (not the same, but a clue to some ideas):

How do I make web service calls within nginx?

This link shows a simple introduction (that you could find it in the documentation) about auth_request_set.

auth_request_set $x_upstreamhost $upstream_http_x_upstreamhost;

Also, here is a deep level of the code implementation of auth_request.

https://www.nginx.com/resources/wiki/extending/examples/auth_request/

This link shows a Code Breakdown of the implementation of auth_request. I can not include that here.

Cheers,