So, I've set up a reverse proxy for multiple domains in nginx like this:
server {
listen 80;
listen [::]:80;
root /var/www/nginx;
index index.html index.htm;
server_name example.com example.org example.net example.nl;
location / {
proxy_pass http://localhost:7001/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
}
}
And it sets a few headers for this purpose. The process on localhost:7001 is a .NET 7 application using Kestrel and right now it gets settings from a local JSON file. Some of these settings are API keys for remote services that need to stay secret.
I now wonder if it's okay to pass these secrets as headers in this nginx configuration and have the application read them from the headers. Something like proxy_set_header ApiKey <My-Key>; so the application doesn't need to use the key from the configuration.
Maybe I would need to encrypt it in here too. It would be no problem to include RSA encryption over this key, with the private key in the application and a console application that can generate this key using the public key.
But I wonder if this is a good practice. It looks secure to me because if someone has access to the nginx configuration then my server is already breached. But am I missing a security risk here? Because this needs to be as secure as possoble...
