Hello!
On Tue, Oct 11, 2022 at 01:04:36PM +0200, Anders Nicolaisen via nginx-devel
wrote:
> I have tried your suggestion, but it seems to not quite fit my use case.
>
> Does your suggestion not eliminate the authentication server entirely
> for any upstream servers?
>
> My preferred use case would be to have auth_request intercept all calls,
> and only relay the accepted ones.
>
> Something like this:
> ------------
> server {
> auth_request /auth;
>
> location /v1/endpoint {
> proxy_pass http://localhost:7777/v1;
> }
>
> location /v2/endpoint {
> proxy_pass http://localhost:6666/v2;
> }
>
> location = /auth {
> internal;
> proxy_pass http://localhost:8888/authentication;
> [..]
> }
> }
> -----------
>
> With the authentication server responding with X-Accel-Redirect, it still gets
> interpreted by auth_request and 429 can never be sent directly to the user.
The X-Accel-Redirect approach replaces auth_request entirely.
Instead, you pass all requests to the upstream server, and this
upstream server decides whether to return an error to the user, or
to X-Accel-Redirect the request to an internal location which
returns the actual response. E.g.,
server {
listen 8080;
location / {
proxy_pass http://127.0.0.1:8081;
}
location @protected {
proxy_pass ...;
}
}
server {
listen 8081;
# an example X-Accel-Redirect server
# which rejects requests with 'foo' argument set to a true
# value
if ($arg_foo) {
return 429;
}
add_header X-Accel-Redirect @protected;
return 204;
}
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org
