-
nimrod authored
Vouch uses the Host header for calculating the JWT but we can't override that (proxying won't work with an incorrect header). So instead it to each deployment so we don't have multiple proxies and can override the Host header.
nimrod authoredVouch uses the Host header for calculating the JWT but we can't override that (proxying won't work with an incorrect header). So instead it to each deployment so we don't have multiple proxies and can override the Host header.
vouch.conf 1.27 KiB
# send all requests to the `/validate` endpoint for authorization
auth_request /validate;
location = /validate {
# forward the /validate request to Vouch Proxy
proxy_pass http://$vouch:9090/validate;
proxy_http_version 1.1;
internal;
include snippets/proxy-headers.conf;
# Vouch Proxy only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# optionally add X-Vouch-User as returned by Vouch Proxy along with the request
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 https://vouch.shore.co.il/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}