Get it, thanks for your explanation.
I faced it by the following usage of lua, and I think it's resonable for
developers.
location /test {
content_by_lua_block {
local res = ngx.location.capture("/other"); -- post subrequest
}
}
location /other {
access_by_lua_block {
...
}
}
It's ok for us to replace it with rewrite.
Anyway, do you still think it's better to restrict subrequests in access
phase handler?
On Mon, Dec 24, 2018 at 10:06 PM Maxim Dounin <mdou...@mdounin.ru> wrote:
> Hello!
>
> On Mon, Dec 24, 2018 at 03:38:00AM +0800, 洪志道 wrote:
>
> > Hi.
> >
> > I'm wondering the reason of ignoring subrequests in access phase hander.
> > Can anyone explain it to me?
> >
> > 1069 ngx_int_t
> > 1070 ngx_http_core_access_phase(ngx_http_request_t *r,
> > ngx_http_phase_handler_t *ph)
> > 1071 {
> > 1072 ngx_int_t rc;
> > 1073 ngx_http_core_loc_conf_t *clcf;
> > 1074
> > 1075 if (r != r->main) {
> > 1076 r->phase_handler = ph->next;
> > 1077 return NGX_AGAIN;
> > 1078 }
> > 1079
>
> Access checks are expected to apply to the main request, but make
> little to no sense for subrequests. E.g., if you are using
> IP-based restrictions or Basic HTTP authentication, both are
> exactly identical for the main request and subrequests. As such,
> it is enough to do the checks for the main request only, and this
> is what nginx does.
>
> Note that it implies that access restrictions configured for the
> main requests are expected to be enough for all subrequests it can
> initiate.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
