从auth_request缓存令牌 [英] Caching Token from auth_request

问题描述

我想从我的请求标头字段授权中缓存令牌.

I want to cache the token from my request header field Authorization.

Authorization : Bearer abcdefghijklmnopqrstuvwxyz

我的目标是，我不必在验证服务器上验证每个请求.如果授权令牌已缓存(且有效)，则该请求应调用未经验证的API.

My goal is, that I don't have to validate every request on the validation-server. If the Authorization-Token is cached (and valid), than the request should call the API without validation.

location /main {
            auth_request /auth;
            proxy_ignore_headers Cache-Control;
            proxy_pass http://API;
            proxy_http_version 1.1;

        }


location /auth {
            internal;
            proxy_cache my_cache;
            proxy_ignore_headers Cache-Control;
            proxy_cache_key "$http_authorization";
            proxy_pass https://validationserver;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";

        }

这是我的设置，但这不起作用.

This is my setup, but this does not work.

希望你能帮助我.

问候！

推荐答案

您要完成哪种身份验证?它是一种站点范围的身份验证机制，其中每个经过身份验证的用户都具有对内容的相同权限?还是更微妙的是，给定用户可能无法访问某些资源?

What sort of authentication are you trying to accomplish? Is it a site-wide authentication mechanism, where every authenticated user has the same permissions to the content? Or is it more subtle, where a given user may or may not have access to certain resources?

因为是后者，那么您实际上是在向应用程序开放一个安全漏洞-任何经过身份验证的用户都将能够使用其身份验证令牌来执行他们可能会或可能不会有权执行的操作，大概，如果在经过验证和缓存的原始授权请求中提供了正确的用户名/ID时，首先缓存了令牌，则将完全信任作为查询中的参数传递的任何用户名或ID.

Because if it is the latter, then you're effectively opening up your application to a security vulnerability — any authenticated user would be able to use their authentication token to perform actions they may or may not be entitled to, as, presumably, any username or IDs passed as parameters in the query would be fully trusted provided that the Token was first cached when the proper username/ID were presented in the original authorisation request that was validated and cached.

或者，请注意，根据 http://nginx，在nginx 1.7.3之前不支持缓存. org/r/auth_request .

此外，请注意，默认情况下，请求或响应中存在cookie同样会阻止内容使用 http://serverfault. com/questions/462799/leverage-proxy-caching-with-nginx-by-removing-set-cookie-header/467774#467774 ，因此可能需要执行以下操作才能使缓存起作用:

Also, note that, by default, presence of cookies in the request or response would, likewise, preclude the content from being cached with http://nginx.org/r/proxy_cache. As per http://serverfault.com/questions/462799/leverage-proxy-caching-with-nginx-by-removing-set-cookie-header/467774#467774, the following may thus be required to get the caching to work:

    proxy_hide_header       Set-Cookie;
    proxy_ignore_headers    Set-Cookie;
    # important! Remember the special inheritance rules for proxy_set_header:
    # http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
    proxy_set_header        Cookie "";

这篇关于从auth_request缓存令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！