Welcome! Log In Create A New Profile

Advanced

Handling upstream response 401

Posted by Friscia, Michael 
Friscia, Michael
Handling upstream response 401
July 25, 2018 03:20PM
I have a problem that I thought I knew how to solve but must be just having a mind blank moment.

If the upstream server returns a 401 response I want to make sure Nginx serves the response. Right now it is serving the stale version. What happened is that the upstream page was public but then made secure, so it sends back the 401 redirect for browser login. Nginx is behaving properly in serving stale but I want to change how it works just for 401. We do serve stale for 404 because we don’t see a need to serve a fresh response every time for content that doesn’t exist.

An alternative is to force the upstream app to return 501 instead of 401 but my understanding is that there are technical issues at stake that force me to try to resolve in Nginx.

Any help would be appreciated, I just feel like it’s an obvious fix and I’m forgetting how.

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.eduhttp://web.yale.edu/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Handling upstream response 401
July 25, 2018 03:50PM
Hello!

On Wed, Jul 25, 2018 at 01:14:29PM +0000, Friscia, Michael wrote:

> If the upstream server returns a 401 response I want to make
> sure Nginx serves the response. Right now it is serving the
> stale version. What happened is that the upstream page was
> public but then made secure, so it sends back the 401 redirect
> for browser login. Nginx is behaving properly in serving stale
> but I want to change how it works just for 401. We do serve
> stale for 404 because we don’t see a need to serve a fresh
> response every time for content that doesn’t exist.

Are you sure you are seeng nginx returning a stale response on 401
from the upstream server?

With proxy_cache_use_stale you can configure nginx to return stale
responses on 500, 502, 503, 504, 403, 404, and 429 (see
http://nginx.org/r/proxy_cache_use_stale). It does not, however,
return stale responses on 401.

Either you've did something very strange in your configuration,
or you are trying to solve a problem which does not exist.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Friscia, Michael
Re: Handling upstream response 401
July 25, 2018 04:00PM
I'm about 98% sure it is returning a 401 but I'm going to do some more research.

I don't think we did anything too dumb
proxy_cache_valid 200 301 302 404 3m;
proxy_cache_use_stale error timeout updating invalid_header http_500 http_502 http_503 http_504;

This is kind of what is confusing me but also makes me agree that I'm chasing a problem that is different than what I think. Our fix was to purge the pages and everything was fine. So I do know that the upstream response after the security change took place is causing Nginx to serve the previously public/cached version and it always says it served stale. I know that because I have a bunch of custom headers to help debug this type of situation.

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu http://web.yale.edu/


On 7/25/18, 9:44 AM, "nginx on behalf of Maxim Dounin" <[email protected] on behalf of [email protected]> wrote:

Hello!

On Wed, Jul 25, 2018 at 01:14:29PM +0000, Friscia, Michael wrote:

> If the upstream server returns a 401 response I want to make
> sure Nginx serves the response. Right now it is serving the
> stale version. What happened is that the upstream page was
> public but then made secure, so it sends back the 401 redirect
> for browser login. Nginx is behaving properly in serving stale
> but I want to change how it works just for 401. We do serve
> stale for 404 because we don’t see a need to serve a fresh
> response every time for content that doesn’t exist.

Are you sure you are seeng nginx returning a stale response on 401
from the upstream server?

With proxy_cache_use_stale you can configure nginx to return stale
responses on 500, 502, 503, 504, 403, 404, and 429 (see
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnginx.org%2Fr%2Fproxy_cache_use_stale&amp;data=02%7C01%7Cmichael.friscia%40yale.edu%7C68ae0d6a128c4c2bb84808d5f234c28e%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636681230777147527&amp;sdata=Kxl2x76bfhemxInzlnWC601J%2FwIoOTb8C1eYaVS3s%2FA%3D&amp;reserved=0). It does not, however,
return stale responses on 401.

Either you've did something very strange in your configuration,
or you are trying to solve a problem which does not exist.

--
Maxim Dounin
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmdounin.ru%2F&amp;data=02%7C01%7Cmichael.friscia%40yale.edu%7C68ae0d6a128c4c2bb84808d5f234c28e%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636681230777147527&amp;sdata=GkWklGERT05XBbBapSY0h8awKUd6TVRQqnmMzWczKhk%3D&amp;reserved=0
_______________________________________________
nginx mailing list
nginx@nginx.org
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.nginx.org%2Fmailman%2Flistinfo%2Fnginx&amp;data=02%7C01%7Cmichael.friscia%40yale.edu%7C68ae0d6a128c4c2bb84808d5f234c28e%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636681230777147527&amp;sdata=p0MK9pgGrdc20wVxNxTXigE5DE%2FY%2B7tqFe2YKdXAjbQ%3D&amp;reserved=0

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login