Performance issues and user always unauthenticated

[p-fruck]

Hey,

I have recently set up this module with a local OIDC server for testing purposes and so far it is working just fine. I am protecting an application consisting of an SPA and an API the SPA calls into. All of those services are deployed as Docker containers. Only the port of the Apache server that includes this module is exposed, proxying to the SPA and API routes happens inside the local docker network. However, the application feels pretty sluggish when I deploy it to a remote environment with lower end hardware and slow network connectivity. Using this module increases the loading time by multiple times so I started to investigate what it is actually happening inside the module. After turning on the debug logs, I found that this message is logged on every request, even though I have authenticated before:

[Fri Sep 09 07:21:11.768925 2022] [authz_core:debug] [pid 286:tid 140279663290112] mod_authz_core.c(815): [client 10.89.1.10:55904] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Sep 09 07:21:11.768942 2022] [authz_core:debug] [pid 286:tid 140279663290112] mod_authz_core.c(815): [client 10.89.1.10:55904] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

While this message keeps showing up on each request the page is loading fine as I am using a valid cookie.

I am only using the Apache Cookie to call from the SPA into protected SPA routes as described in this wiki page.

My module config looks like this:

<Location />
    Require valid-user
    AuthType openid-connect
</Location>

LoadModule proxy_module       modules/mod_proxy.so
LoadModule proxy_http_module  modules/mod_proxy_http.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so

ProxyPassMatch   "^/api/(.*)$"    http://backend/    nocanon
ProxyPassReverse "/api/"          http://backend/

# Websocket proxy for frontend
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
ProxyPass        /    ws://frontend/
ProxyPassReverse /    ws://frontend/

ProxyPass        /    http://frontend/    nocanon
ProxyPassReverse /    http://frontend/

If I set the protected location to something like /this-route-does-not-exist the performance issues are gone, so the issue should not be the Apache server itself.

Thank you for any help provided in advance
Philipp

[zandbelt]

to me it suggests that the delay is caused in the backend that is proxied to; the log messages that you refer to are harmless debug messages

[p-fruck]

So those messages are expected? As I've mentioned the issue does not seem to be the backend as the delay is not noticeable anymore when I set the protected location so some unused sublocation. Therefore I am fairly certain that the delay originates inside this module. Do you have any hints on how to further investigate this problem?