拥有一个正在运行的 Nginx 身份验证代理服务器,并且default.conf.template文件不断增长。
想要根据不同的上游服务将其拆分为多个文件。
./templates/default.conf.template 文件:
js_import scripts/auth.js;
upstream payment {
server ${PAYMENT_SVC_HOST};
}
upstream eligibility {
server ${ELIGIBILITY_SVC_HOST};
}
upstream datasource {
server ${DATASOURCE_SVC_HOST};
}
map $http_origin $allow_origin {
'~^${ALLOWED_ORIGINS}$' $http_origin;
default "";
}
server {
listen 80;
server_name localhost;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
add_header Access-Control-Expose-Header "Content-Disposition" always;
add_header Access-Control-Expose-Headers "x-b3-traceid" always;
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Methods '*' always;
add_header Access-Control-Allow-Headers '*' always;
add_header Access-Control-Allow-Credentials 'true' always;
error_page 401 = @handle_auth_401;
error_page 403 = @handle_auth_403;
error_page 500 = @handle_auth_500;
location /__healthcheck {
return 200;
}
location /payment {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/payment(/.*)$ $1 break;
proxy_pass http://payment;
proxy_set_header x-b3-traceid $request_id;
}
location /eligibility {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/eligibility/(.*)$ /api/v1/$1 break;
proxy_pass http://eligibility;
proxy_set_header x-b3-traceid $request_id;
}
location /datasource {
include cors.conf;
proxy_intercept_errors off;
default_type application/json;
auth_request /_oauth2_token_introspection;
rewrite ^/datasource/(.*)$ /v1/$1 break;
proxy_pass http://datasource;
proxy_set_header x-b3-traceid $request_id;
}
location = /_oauth2_token_introspection {
internal;
js_content auth.introspectToken;
}
location /_oauth2_do_introspection {
internal;
js_set $auth_token auth.getToken;
proxy_method POST;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_body "client_id=${BFF_CLIENT_ID}&client_secret=${BFF_CLIENT_SECRET}&token=$auth_token";
proxy_pass ${TOKEN_INTROSPECTION_URL};
proxy_cache token_responses;
proxy_cache_key $auth_token;
proxy_cache_lock on;
proxy_cache_valid 200 5s;
proxy_ignore_headers Cache-Control Expires Set-Cookie;
}
location @handle_auth_401 {
default_type application/json;
return 401 '{"timestamp":"$time_iso8601","status":401,"error":"Unauthorized","path":"$request_uri"}';
}
location @handle_auth_403 {
default_type application/json;
return 403 '{"timestamp":"$time_iso8601","status":403,"error":"Forbidden","path":"$request_uri"}';
}
location @handle_auth_500 {
default_type application/json;
return 500 '{"timestamp":"$time_iso8601","status":500,"error":"Internal Server Error","path":"$request_uri"}';
}
}
尝试移动upstream和location块,但是直到我移动与令牌自省相关的所有内容(代码重复)后才起作用。
最好的方法是什么?
如果需要更多详细信息,请告诉我。