Check response of one backend before proxying to another

Daniel Darabos

11/16/23, 2:28 PM

I have two backends in two locations behind an Nginx frontend. Backend A implements authentication with OAuth. Backend B doesn't.

I think a lazy way of adding authentication for location B would be to send each request to backend A first. The flow I have in mind:

request for /b/kitten.png --> [ nginx ]
                              [ nginx ] --> request for /index.html --> [backend A]
                            if A responds 200:
                              [ nginx ] --> request for /kitten.png --> [backend B]
                            otherwise return what A returned (redirect to OAuth)

Is this possible in Nginx? If not, maybe in OpenResty/HAProxy/Traefik?

134

1 + 0

nginx

reverse-proxy

haproxy

openresty

traefik

Score:1

Server

diya

11/17/23, 10:45 AM

Not a complete answer, but slightly too long for comment:

The set-up you describe is in concept similar to a fairly common strategy :

offload the authentication to one system
use your reverse proxy to enforce that only authenticated clients can access your other applications/back-ends (by inspecting the request)
unauthenticated clients get refused by the reverse proxy (and/or ideally redirected to a login page from the authentication provider, that once authenticated successfully redirects back to the app)
authenticated clients are granted access.

This requires a method to validate the header/cookie/session token the client submits in the reverse proxy. The advantage is of course that the applications exposed by the reverse proxy don't have to provide their own login/authentication methods.

For nginx a bit of lua code seems to be a common way to create such a method.

For example the access_by_lua method is commonly used to make such an integration with nginx and keycloak as the authentication provider. See the examples: here and here

+ 1

Daniel Darabos

11/17/23, 12:38 PM

This sounds great! In the meanwhile I found a better solution that is specific to my particular setup. (Backend A actually has authentication, it's just different from backend B.) But I'll come back to these `access_by_lua` examples if I need this in the future. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Check response of one backend before proxying to another

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.