I have a task of replacing Zuul reverse proxy with Nginx. Security in Zuul proxy is implemented with implementation 'org.springframework.boot:spring-boot-starter-security'
@EnableWebSecurity
class ZuulSecurity(...) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.csrf().disable().httpBasic().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.sessionFixation().changeSessionId()
.and().authorizeRequests()
.antMatchers(*dennyPatterns).denyAll()
.antMatchers(*loginPatterns).permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage(loginUrl)
}
}
Spring boot api services are protected in similar way with @EnableWebSecurity
I replace Zuul reverse proxy with Nginx as reverse proxy.
How can I enforce security on Nginx, so that no unathenticated request is proxy_pass
'ed to backend api servcies? - Other words, I would like to validate on Nginx if request is made by an authenticated user (with some exception for loginPatterns urls). Which one of nginx/admin-guide/security-controls should I study?
I have done it with configuring-subrequest-authentication/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.