Using Postgres Basic Auth in NGINX to add query result to Proxy HTTP Header

We are trying to use the ngx_postgres module to do basic authentication through NGINX. We want to retrieve a value from the query result-pair and add it to the HTTP Header, and then proxy this to another server.

We have succeeded in authenticating through postgres, but the issue has been passing the result pair onto the proxy. The code we are currently using is as follows:

    location = /test_auth {
            internal;

            postgres_escape $user $remote_user;
            postgres_escape $pass $remote_passwd;

            postgres_pass geo_database;

            postgres_query "select user_name,contract_id,access_token from schema_name.table_name where user_name=$user and password=md5($pass);";
            postgres_rewrite no_rows 401;
            more_set_headers -s 401 'WWW-Authenticate: Basic realm="Restricted"';
            postgres_output none;
            postgres_set $query_val 0 0 required;
    }

    location /test/ {
           auth_request /test_auth;

           proxy_pass      http://back_end_server/public-dev/;
           proxy_set_header test $query_val;
           proxy_redirect http://back_end_server/public-dev/ http://example_domain.com/;

    }

This is a subset of many different things we have tried. The issue in this example is that query_val appears to be destroyed within the sub request. We are successfully able to retrieve the query result-pair when the postgres call is not in a subrequest, but this disables our authentication.

We also tried a simple query in the main location, and then proxying this data off to the other location, but it failed. The query result pair would be added to the header file correctly if we directed it to a local resource like an index.html file, but as soon as we attempted to add it to the http header and send it to the proxy, it would no longer exist.

Any advice on this matter would be greatly appreciated.

[Update] I have spent all day reading about the modules I am using, and i really think it is an issue with the Phase order of the Modules. I have a feeling that the proxy rewrite is happening before the postgres authentication subrequest has actually returned a result. I will continue investigating. Any help is still appreciated.


The solution to this problem ended up being using the auth_request_set function to pull out the correct value during the proper NGINX phase. The following code is the working solution.

location = /test_auth {
        internal;

        postgres_escape $user $remote_user;
        postgres_escape $pass $remote_passwd;

        postgres_pass geo_database;

        postgres_query "select user_name,contract_id,access_token from schema_name.table_name where user_name=$user and password=md5($pass);";
        postgres_rewrite no_rows 401;
        more_set_headers -s 401 'WWW-Authenticate: Basic realm="Restricted"';
        postgres_output none;
        postgres_set $query_val 0 0 required;
}

location /test/ {
       auth_request /test_auth;
       auth_request_set $proper_query_val $query_val;

       proxy_pass      http://back_end_server/public-dev/;
       proxy_set_header test $proper_query_val;
       proxy_redirect http://back_end_server/public-dev/ http://example_domain.com/;

}