Last active
February 20, 2018 19:18
-
-
Save mkasztelnik/3670946bcf1fff9e9171a74f77f9ad47 to your computer and use it in GitHub Desktop.
nginx AAI proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# In the scope of first prototype nginx with http_auth_request, http_ssl module is used. | |
# At the beginning nginx need to downloaded (http://nginx.org/en/download.html), next configured and installed: | |
./configure --prefix=/home/marek/epos/nginx --with-http_auth_request_module --with-http_ssl_module | |
make | |
make install |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Now we can configure nginx ($NGINX_HOME/config/nginx.conf): | |
http { | |
... | |
upstream api { | |
server 127.0.0.1:8083; | |
} | |
server { | |
listen 8082; | |
server_name localhost; | |
location / { | |
auth_request /auth; | |
# Copy header from auth response into upstream (api) request | |
auth_request_set $server $upstream_http_server; | |
proxy_set_header x-server $server; | |
proxy_pass http://api; | |
} | |
location = /auth { | |
internal; | |
proxy_pass https://epos-aai.cyfronet.pl/oauth2/tokeninfo; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
} | |
... | |
} | |
} | |
# This will pass request (without body) into aai and if 200 is returned request is passed into the specified location, | |
# otherwise, 40x error page defined in nginx is returned to the user. | |
# | |
# This solution would be good enough if auth server returns 200 with some user details set as headers. | |
# Then we can copy these values and pass them into upstream request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment