March 01, 2017 03:57AM
** Problem Background **
I have an application, say app-A, which is running on a private network unreachable by public network. Now a new requirement needs to deliver the webpages of app-A to external users over public network.

As a solution to expose app-A, I want to use NGINX as reverse proxy and will use two layers of authentication as explained below. Kindly advise if i am moving in the right direction in implementing the secure entry using NGINX.

Reference Images attached at the end of email.

** Authentication Level 1 ** NGINX Auth Service As a solution to expose app-A, I want to use NGINX as reverse proxy and API gateway for External users to access the application in internal network. Once NGINX authenticates the request it will forward to app-A.

** Authentication Level 2 ** App-A performs Authentication After receiving request from nginx, app-A will perform its own authentication, ignoring that the request came pre-authenticated from NGINX. app-A will perform the authentication as app-A is to be kept unaware of the new NGINX reverse proxy and app-A will continue to work as is.

** Problem Situation **
NGINX Authentication service authenticates the request and sets a session-id in response so that it can identify the next request coming from the same client. As app-A also authenticates the request and puts the session-id in response. The problem here is that one session-id will get overriden by the other.

Questions/Options in consideration :

1. (Image-ref-1) Is there anyway that I can configure NGINX to keep both the session-ids seperate in the request so that Auth service and app-A can recognise there own session informations for authenticated client.

2. (image-Ref-2) If both the session info cannot be saved, then can we configure NGINX to store session-id response of app-A and auth service both in its memory and only send the session-id of auth service back to client. And when the request comes back with Auth Service's session-id, NGINX should correlate the session of App-A and forward App-A's session to app-A. This way the request would get authenticated at both layers.

3. Which solution can be performed from the above 2 ?

4. Is it good approach to have 2 layers of authentication when NGINX's API gateway is used? If not then what configuration is required in app-A to not perform authentication for the requests coming from NGINX? Application environment java spring.?

** Links to Images **
Image-Ref-1 :
Image-Ref-2 :
Subject Author Posted

NGINX - Reverse Proxy With Authentication at 2 Layers

zaidahmd March 01, 2017 03:57AM

Re: NGINX - Reverse Proxy With Authentication at 2 Layers

Aleksandar Lazic March 02, 2017 05:38PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 96
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready