mod_auth_request
Introduction
mod_auth_request supports sending request to the specified service for authentication.
Module Configuration
Description
conf/mod_auth_request/mod_auth_request.conf
| Config Item | Description |
|---|---|
| Basic.DataPath | String Path of rule configuration |
| Basic.AuthAddress | String Address of authentication service |
| Basic.AuthTimeout | Number Timeout for authentication |
| Log.OpenDebug | Boolean Whether enable debug log Default False |
Example
[Basic]
DataPath = mod_auth_request/auth_request_rule.data
AuthAddress = http://127.0.0.1
AuthTimeout = 100
[Log]
OpenDebug = false
Rule Configuration
Description
| Config Item | Description |
|---|---|
| Version | String Version of config file |
| Config | Object Request auth rules for each product |
| Config{k} | String Product name |
| Config{v} | Object A list of request auth rules |
| Config{v}[] | Object A request auth rule |
| Config{v}[].Cond | String Condition expression, See Condition |
| Config{v}[].Enable | Boolean Whether enable request auth rule |
Example
{
"Config": {
"example_product": [
{
"Cond": "req_path_in(\"/auth_request\", false)",
"Enable": true
}
]
},
Version": "20190101000000"
}
For example_product, for request to path /auth_request (e.g., www.example.com/auth_request), BFE will create a request and send it to http://127.0.0.1 for authentication.
Actions
| Action | Condition |
|---|---|
| Forbid | Response status code is 401 or 403 |
| Pass | Response status code is 200 or other |
Metrics
| Metric | Description |
|---|---|
| AUTH_REQUEST_CHECKED | Counter for checked request |
| AUTH_REQUEST_PASS | Counter for passed request |
| AUTH_REQUEST_FORBIDDEN | Counter for forbidden request |
| AUTH_REQUEST_UNAUTHORIZED | Counter for unauthorized request |
| AUTH_REQUEST_FAIL | Counter for failed request |
| AUTH_REQUEST_UNCERTAIN | Counter for uncertain request |
Illustration of how BFE create auth request
- Method: Request Method of HTTP Request created by BFE is GET
- Header: The request header created by the BFE is originated from the original request, but BFE makes following changes to the request:
- Delete following headers: Content-Length/Connection/Keep-Alive/Proxy-Authenticate/Proxy-Authorization/Te/Trailers/Transfer-Encoding/Upgrade
- Add following headers: X-Forwarded-Method(Original Request Method)、X-Forwarded-Uri(Original Request URI)
- Body: Body of HTTP Request created by BFE is null