Have a running Nginx auth proxy server with a growing default.conf.template
file.
Want to split it into multiple files based on different upstream services.
./templates/default.conf.template file:
js_import scripts/auth.js;
upstream payment {
server ${PAYMENT_SVC_HOST};
}
upstream eligibility {
server ${ELIGIBILITY_SVC_HOST};
}
upstream datasource {
server ${DATASOURCE_SVC_HOST};
}
map $http_origin $allow_origin {
'~^${ALLOWED_ORIGINS}$' $http_origin;
default "";
}
server {
listen 80;
server_name localhost;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
add_header Access-Control-Expose-Header "Content-Disposition" always;
add_header Access-Control-Expose-Headers "x-b3-traceid" always;
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Methods '*' always;
add_header Access-Control-Allow-Headers '*' always;
add_header Access-Control-Allow-Credentials 'true' always;
error_page 401 = @handle_auth_401;
error_page 403 = @handle_auth_403;
error_page 500 = @handle_auth_500;
location /__healthcheck {
return 200;
}
location /payment {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/payment(/.*)$ $1 break;
proxy_pass http://payment;
proxy_set_header x-b3-traceid $request_id;
}
location /eligibility {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/eligibility/(.*)$ /api/v1/$1 break;
proxy_pass http://eligibility;
proxy_set_header x-b3-traceid $request_id;
}
location /datasource {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/datasource/(.*)$ /v1/$1 break;
proxy_pass http://datasource;
proxy_set_header x-b3-traceid $request_id;
}
location = /_oauth2_token_introspection {
internal;
js_content auth.introspectToken;
}
location /_oauth2_do_introspection {
internal;
js_set $auth_token auth.getToken;
proxy_method POST;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_body "client_id=${BFF_CLIENT_ID}&client_secret=${BFF_CLIENT_SECRET}&token=$auth_token";
proxy_pass ${TOKEN_INTROSPECTION_URL};
proxy_cache token_responses;
proxy_cache_key $auth_token;
proxy_cache_lock on;
proxy_cache_valid 200 5s;
proxy_ignore_headers Cache-Control Expires Set-Cookie;
}
location @handle_auth_401 {
default_type application/json;
return 401 '{"timestamp":"$time_iso8601","status":401,"error":"Unauthorized","path":"$request_uri"}';
}
location @handle_auth_403 {
default_type application/json;
return 403 '{"timestamp":"$time_iso8601","status":403,"error":"Forbidden","path":"$request_uri"}';
}
location @handle_auth_500 {
default_type application/json;
return 500 '{"timestamp":"$time_iso8601","status":500,"error":"Internal Server Error","path":"$request_uri"}';
}
}
Tried moving the upstream
and location
blocks but doesn't work until I moved everything related to token introspection in the same by which the code gets repeated.
What is the best way to do it?
Let me know if more details are required.