条件必选nginx auth_request

Nginx wiki警告location中的if可能会产生意想不到的结果，但rewrite ... last;是安全的。下面是一个例子:

location / {
    if ($cookie_UserName = "") {
        rewrite ^ /__login$uri last;
    }
    proxy_pass http://backend-app;
}
location /__login {  internal;
    rewrite ^/__login(?<realurl>/.*)$ $realurl break;
    auth_request /auth;
    auth_request_set $user $upstream_http_x_webauth_user;
    proxy_set_header Cookie UserName=$user;
    proxy_pass http://backend-app;
    add_header Set-Cookie "UserName=$user;Max-Age=300";
}
location = /auth {  internal;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_pass http://auth-server/validate;
}

有两种情况:Cookie:UserName是否存在。如果存在，则执行第一个proxy_pass。否则使用/__login。注意，$uri是通过的，所以它可以被发送到后端应用程序。

对于更高级的条件，可以使用map代替if。

请注意，如果不对每个请求进行身份验证，就有可能接受带有"伪造"的请求。饼干/头。

请查看NJS (https://nginx.org/en/docs/njs/)模块。这真的很简单，当然可以做你想做的。下面是示例解决方案:

文件:/etc/nginx/conf.d/default.conf:

server {
    listen 80;
    server_name "SOME_SERVER";
    # make an authentication subrequest for every request
    auth_request /auth;
    # create a new variable AuthToken and set its value to the res.SOMEVALUE from the later subrequest... 
    auth_request_set $AuthToken $sent_http_token;
    
    # add new AuthToken to the request
    proxy_set_header Authorization $AuthToken;
    location / {
        proxy_pass http://SOME_ENDPOINT;
    }
    location = /auth {
        internal;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        js_content auth.main;
    }
    location /get-new-token-location {
       internal;
       proxy_pass http://SOMEURL;
    }
}

和nginx.conf文件的例子来展示如何启用NJS模块:

...
pid /var/run/nginx.pid;
load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
events {
    use epoll;
    worker_connections 10000;
}

http {
    # import njs scripts
    js_import auth from /path/to/the/auth.js;
    
    include /etc/nginx/conf.d/default.conf;
}

最后，auth.js文件中的主函数:

export default {main}
function main(r) {
    var token = "";
    // search token in Authorization header
    if (this.requestHeaderExists(r, 'Authorization')) {
        var m = r.headersIn.Authorization.match(/Bearers+(.+)/);
        if (m !== null && typeof m[1] !== 'undefined') {
            token = m[1];
        }
    }
    // search token in cookie
    if (token.length == 0) {
       ... code here ...
    }
    // token was found, you can somehow validate it if you want
    if (token.length > 0) {
       .., make sure token is valid...
    }
    else { // there is no token, so ask for the new one
       r.subrequest('/get-new-token-location, { method: 'GET' }, function(reply) {  
         var res = JSON.parse(reply.responseBody);
         // add token to the response headers of this sub-request
         r.headersOut['token'] = res.SOMEVALUE;
       }
    }
   r.return(200);
   return;
}

请把它当作一个例子。好吧，也许它看起来很复杂，但它真的很强大，你肯定可以在万维网上找到更多的例子。

也许太晚了。但我找到了另一个解决办法。使用proxy_cache缓存auth_request .

# Working config for auth_request with proxy_cache. (nginx 1.18.0)
# https://gist.github.com/jinto/f120e497db8d39d866db49ff2454b7b3
# ...
proxy_cache_path /tmp/cache_xx levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=10m use_temp_path=off;
server {
  location / {
    auth_request /_ml_proxy/auth;
    # ...
    proxy_pass http://backend_ip:7860/;
  }
  location ~ ^/_ml_proxy/auth { internal;
    include                 proxy_params;
    proxy_cache             auth_cache;
    proxy_cache_methods     GET HEAD POST;
    proxy_cache_key         $cookie_sessionid;   # for django
    proxy_cache_valid       200 1m;
    proxy_pass              http://backend_auth_ip;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
  }
}