0

Have a running Nginx auth proxy server with a growing default.conf.template file.

Want to split it into multiple files based on different upstream services.

./templates/default.conf.template file:

js_import scripts/auth.js;
 
upstream payment {
    server ${PAYMENT_SVC_HOST};
}
 
upstream eligibility {
    server ${ELIGIBILITY_SVC_HOST};
}
 
upstream datasource {
    server ${DATASOURCE_SVC_HOST};
}
 
map $http_origin $allow_origin {
  '~^${ALLOWED_ORIGINS}$' $http_origin;
  default "";
}
 
server {
    listen       80;
    server_name  localhost;
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
    add_header Access-Control-Expose-Header "Content-Disposition" always;
    add_header Access-Control-Expose-Headers "x-b3-traceid" always;
    add_header Access-Control-Allow-Origin $allow_origin always;
    add_header Access-Control-Allow-Methods '*' always;
    add_header Access-Control-Allow-Headers '*' always;
    add_header Access-Control-Allow-Credentials 'true' always;
 
    error_page 401 = @handle_auth_401;
    error_page 403 = @handle_auth_403;
    error_page 500 = @handle_auth_500;
 
    location /__healthcheck {
        return 200;
    }
 
    location /payment {
        include cors.conf;
        proxy_intercept_errors off;
        default_type  application/json;
        auth_request  /_oauth2_token_introspection;
        rewrite ^/payment(/.*)$ $1 break;
        proxy_pass  http://payment;
        proxy_set_header x-b3-traceid $request_id;
    }
 
    location /eligibility {
        include cors.conf;
        proxy_intercept_errors off;
        default_type  application/json;
        auth_request /_oauth2_token_introspection;
        rewrite ^/eligibility/(.*)$ /api/v1/$1 break;
        proxy_pass  http://eligibility;
        proxy_set_header x-b3-traceid $request_id;
    }
 
    location /datasource {
        include cors.conf;
        proxy_intercept_errors off;
        default_type  application/json;
        auth_request /_oauth2_token_introspection;
        rewrite ^/datasource/(.*)$ /v1/$1 break;
        proxy_pass  http://datasource;
        proxy_set_header x-b3-traceid $request_id;
    }
 
    location = /_oauth2_token_introspection {
        internal;
        js_content auth.introspectToken;
    }
 
    location /_oauth2_do_introspection {
        internal;
        js_set  $auth_token auth.getToken;
        proxy_method  POST;
        proxy_set_header  Content-Type  "application/x-www-form-urlencoded";
        proxy_set_body    "client_id=${BFF_CLIENT_ID}&client_secret=${BFF_CLIENT_SECRET}&token=$auth_token";
        proxy_pass        ${TOKEN_INTROSPECTION_URL};
 
        proxy_cache       token_responses;
        proxy_cache_key   $auth_token;
        proxy_cache_lock  on;
        proxy_cache_valid 200 5s;
        proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    }
 
    location @handle_auth_401 {
        default_type  application/json;
        return 401 '{"timestamp":"$time_iso8601","status":401,"error":"Unauthorized","path":"$request_uri"}';
    }
 
    location @handle_auth_403 {
        default_type  application/json;
        return 403 '{"timestamp":"$time_iso8601","status":403,"error":"Forbidden","path":"$request_uri"}';
    }
 
    location @handle_auth_500 {
        default_type  application/json;
        return 500 '{"timestamp":"$time_iso8601","status":500,"error":"Internal Server Error","path":"$request_uri"}';
    }
}

  Tried moving the upstream and location blocks but doesn't work until I moved everything related to token introspection in the same by which the code gets repeated.

What is the best way to do it?

Let me know if more details are required.

0

You must log in to answer this question.