Overview

**DEPRECATED**:  Do not use this code or patch for Shibboleth.  See https://github.com/nginx-shib/nginx-http-shibboleth for how to do things now.


Auth request module for nginx.

This module allows authorization based on a subrequest result.  Once 
a subrequest returns 2xx status - access is allowed; on 401 or 403 - 
access is disabled with an appropriate status.  

For 401 statuses, the WWW-Authenticate header from the subrequest response 
will be passed to client.

All other subrequest response statuses are considered to be an error, unless
the `authorizer=on` flag is supplied, in which case the module will
return the subrequest's response status and headers. This mostly follows
the FastCGI Authorizer specification, with the exception of the processing
of the request and response bodies.  Further information follows below.

The module works at access phase and therefore may be combined nicely with other
access modules (access, auth_basic) via satisfy directive.

Configuration directives:

    auth_request <uri>|off [flags]

        Context: http, server, location
        Default: off

        Switches auth request module on and sets uri which will be asked for
        authorization.

        Flags may be configured to modify the behaviour of the module as
        follows:
        
         * authorizer=on - Configures the auth request module to explicitly
           return the status, headers, and content of the response resulting
           from the sub-request to the configured uri.
 
           This option allows a uri to conform to the FastCGI Authorizer
           specification; see http://www.fastcgi.com/drupal/node/22#S6.3.
           The one (potentially significant) caveat is that due to the way
           Nginx operates at present with regards to subrequests (what
           an Authorizer effectively requires), the request body will *not* be
           forwarded to the authorizer, and similarly, the response body from
           the authorizer will *not* be returned to the client. 

           Configured URIs are not restricted to using a FastCGI backend
           to generate a response, however.  This may be useful during
           testing or otherwise, as you can use Nginx's built in ``return``
           and ``rewrite`` directives to produce a suitable response.

    auth_request_set <variable> <value>

        Context: http, server, location
        Default: none

        Set request variable to the given value after auth request completion.
        Value may contain variables from auth request, e.g. $upstream_http_*.

Usage:

    location /private/ {
        auth_request /auth;
        auth_request_set $my_variable $upstream_http_subrequest_uri;
        ...
    }

    location = /auth {
        proxy_pass ...
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        add_header Subrequest-URI $request_uri;
    }

Note: it is not currently possible to use proxy_cache/proxy_store (and 
fastcgi_cache/fastcgi_store) for requests initiated by auth request
module.

To compile nginx with auth request module, use "--add-module <path>" option
to nginx configure.

Development of this module was sponsored by Openstat (http://www.openstat.com/).