Welcome! Log In Create A New Profile

Advanced

Re: NGINX - Reverse Proxy With Authentication at 2 Layers

Aleksandar Lazic
March 02, 2017 05:38PM
Hi.

Am 01-03-2017 09:57, schrieb zaidahmd:
> ** Problem Background **
> I have an application, say app-A, which is running on a private network
> unreachable by public network. Now a new requirement needs to deliver
> the
> webpages of app-A to external users over public network.
>
> As a solution to expose app-A, I want to use NGINX as reverse proxy and
> will
> use two layers of authentication as explained below. Kindly advise if i
> am
> moving in the right direction in implementing the secure entry using
> NGINX.
>
> Reference Images attached at the end of email.
>
> ** Authentication Level 1 ** NGINX Auth Service As a solution to
> expose
> app-A, I want to use NGINX as reverse proxy and API gateway for
> External
> users to access the application in internal network. Once NGINX
> authenticates the request it will forward to app-A.

For this you can use
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

> ** Authentication Level 2 ** App-A performs Authentication After
> receiving request from nginx, app-A will perform its own
> authentication,
> ignoring that the request came pre-authenticated from NGINX. app-A will
> perform the authentication as app-A is to be kept unaware of the new
> NGINX
> reverse proxy and app-A will continue to work as is.

For this you will use
http://nginx.org/en/docs/http/ngx_http_upstream_module.html

> ** Problem Situation **
> NGINX Authentication service authenticates the request and sets a
> session-id
> in response so that it can identify the next request coming from the
> same
> client. As app-A also authenticates the request and puts the session-id
> in
> response. The problem here is that one session-id will get overriden by
> the
> other.
>
> Questions/Options in consideration :
>
> 1. (Image-ref-1) Is there anyway that I can configure NGINX to keep
> both
> the session-ids seperate in the request so that Auth service and app-A
> can
> recognise there own session informations for authenticated client.

you an set the session id to another variable with.
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request_set

> 2. (image-Ref-2) If both the session info cannot be saved, then can
> we
> configure NGINX to store session-id response of app-A and auth service
> both
> in its memory and only send the session-id of auth service back to
> client.
> And when the request comes back with Auth Service's session-id, NGINX
> should
> correlate the session of App-A and forward App-A's session to app-A.
> This
> way the request would get authenticated at both layers.

I assume you can safe the session-id in memcache with.
http://nginx.org/en/docs/http/ngx_http_memcached_module.html

> 3. Which solution can be performed from the above 2 ?

I think both.
I would prefer the second one because this could save some request on
the auth service.

> 4. Is it good approach to have 2 layers of authentication when
> NGINX's
> API gateway is used? If not then what configuration is required in
> app-A to
> not perform authentication for the requests coming from NGINX?
> Application
> environment java spring.?

Due to the fact that you haven't told us which auth method the auth
service can offer I suggest to use openid connect to perform a kind of
SSO.

There is a http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html
which is part of the n+.

If you don't want to buy n+ you can use the modules which I have
mentioned above.

The best way would be to adopt the app-A to be able to handle both
situations.
A available session-id, in your case the one from nginx, and no
session-id.

> ** Links to Images **
> Image-Ref-1 : http://i64.tinypic.com/27zbthj.gif
> Image-Ref-2 : http://i63.tinypic.com/35a2lbp.png
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,272674,272674#msg-272674
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

NGINX - Reverse Proxy With Authentication at 2 Layers

zaidahmd March 01, 2017 03:57AM

Re: NGINX - Reverse Proxy With Authentication at 2 Layers

Aleksandar Lazic March 02, 2017 05:38PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 85
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready