I wanted to get an idea if anything like the following scenario was possible:
Nginx handles a request and routes it to some kind of authentication application where cookies and/or other kinds of security identifiers are interpreted and verified. The app perhaps makes a few additions to the request (appending authenticated headers). Failing authentication returns an HTTP 401.
Nginx then takes the request and routes it through an authorization application which determines, based upon identity and the HTTP verb (put, delete, get, etc.) and URL in question, whether the actor/agent/user has permission to performed the intended action. Perhaps the authorization application modifies the request somewhat by appending another header, for example. Failing authorization returns 403.
(Wash, rinse, repeat the proxy pattern for any number of services that want to participate in the request in some fashion.)
Finally, Nginx routes the request into the actual application code where the request is inspected and the requested operations are executed according to the URL in question and where the identity of the user can be captured and understood by the application by looking at the altered HTTP request.
Ideally, Nginx could do this natively or with a plugin. Any ideas?
The alternative that I've considered is having Nginx hand off the initial request to the authentication application and then have this application proxy the request back through to Nginx (whether on the same box or another box).
I know there are a number of applications frameworks (Django, RoR, etc.) that can do a lot of this stuff "in process", but I was trying to make things a little more generic and self contained where different applications could "hook" the HTTP pipeline of Nginx and then participate in, short circuit, and even modify the request accordingly.
If Nginx can't do this, is anyone aware of other web servers that will perform in the manner described above?
Best Answer
After doing a bunch more digging, Nginx definitely supports the ability to be extended to enable the above scenario, but there's nothing explicitly "out of the box" that can be utilized.
One of the most promising plugins that can enable this scenario with little to no code would be the Lua module to enable an HTTP subrequest in the request processing pipeline: http://wiki.nginx.org/HttpLuaModule
Another in the custom module written by the Russian OpenStats.com guys. This module may need to be customized somewhat with a little bit of C code: http://mdounin.ru/hg/ngx_http_auth_request_module/file/a29d74804ff1/README
Last is the possibility of writing a custom module not based upon the aforementioned ones but still hooking into subrequests directly: http://www.evanmiller.org/nginx-modules-guide.html