Hello,
I'm trying to use Nginx as a reverse proxy that authorizes users in a subrequest through an authorization server (as mentioned in https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) and forward them to various protected servers.
I am looking for the best way to implement the forwarding to the various servers—my initial thoughts of going about it were
1. Add a new location block for each new server
A sample nginx conf gile for (1) looks like this:-
location / {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
proxy_pass https://myprivateserver.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location = /auth {
internal;
proxy_pass https://myauthorizationserver.com/test/auth;
proxy_set_header X-Original-URI $request_uri;
}
I would like to avoid adding a new location block for each server I spin up since that would require updating the conf file and reloading nginx each time. So my initial thoughts of going about it were:-
2. Get the server address to redirect to from the authorization server.
My sample nginx conf file looks like this:-
location / {
proxy_pass https://myauthorizationserver.com/test/auth;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
So I tried to get my authorization server to return a redirect address, I would either have issues reading its response (using auth_request directive) or get a plain Forbidden message (using proxy_pass straight to the myauthorizationserver).
Is there a way I can get nginx to read the request body or headers from myauthorizationserver and perform a proxy_pass to them?
Thanks,
Ganesh
Edited 1 time(s). Last edit at 07/28/2020 01:20AM by ganesh272.