Clever Geek Handbook

Cache token from auth_request

I want to cache the token from the request field of the request header.

Authorization : Bearer abcdefghijklmnopqrstuvwxyz

My goal is that I don't have to validate every request on the validation server. If the authorization token is cached (and valid), then the request should call the API without validation.

location /main {
            auth_request /auth;
            proxy_ignore_headers Cache-Control;
            proxy_pass http://API;
            proxy_http_version 1.1;

        }


location /auth {
            internal;
            proxy_cache my_cache;
            proxy_ignore_headers Cache-Control;
            proxy_cache_key "$http_authorization";
            proxy_pass https://validationserver;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";

        }

This is my setup, but it doesn't work.

I hope you can help me.

Hello!

+3


source to share


2 answers


What kind of authentication are you trying to accomplish? Is this an authentication mechanism on a site where every authenticated user has the same access rights to the content? Or is it more subtle when a given user may or may not have access to certain resources?

Because if it is the latter, then you are effectively exposing your application to a security vulnerability - any authenticated user will be able to use their authentication token to perform actions that they may or may not have rights, since presumably any username or IDs passed to as parameters in the request, will be fully trusted, provided that the token was first cached when the correct username / ID was provided in the original authorization request that was verified and cached.

Alternatively, note that caching was not supported until nginx 1.7.3 according to http://nginx.org/r/auth_request .



Also, note that, by default, having cookies in a request or response will also prevent content from being cached by http://nginx.org/r/proxy_cache . According to http://serverfault.com/questions/462799/leverage-proxy-caching-with-nginx-by-removing-set-cookie-header/467774#467774 the following might be required for caching to work:

    proxy_hide_header       Set-Cookie;
    proxy_ignore_headers    Set-Cookie;
    # important! Remember the special inheritance rules for proxy_set_header:
    # http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
    proxy_set_header        Cookie "";
+2


source


Does your cookie validation server generate a cookie? If so, you also needproxy_ignore_headers "Set-Cookie";



+1


source






More articles:


All Articles