1

We are using NGINX as a reverse proxy, it dispatches the calls from outside to our internal Java microservices:

enter image description here

We would like to add a special service which would serve as a "man-in-the middle", but only for the request part. It's purpose is to decorate the original request (authentication, add/modify HTTP headers, verify access rights). The "decorative tasks" involve a complicated business logic which cannot be configured on NGINX itself.

We want the service to be called as first, and then forward its response (especially the HTTP headers!) as a request to one of the microservices. Maybe also optionally to call the dispatched services with the original body, but with the HTTP headers returned from the decorator service.

When the service returns an HTTP error, it should return directly to the caller without dispatching.

The service is implemented as a Java Spring Boot application. It is a regular web service.

Is it possible to be configured in NGINX, and how?

To be clear: I am not asking about how to implement this specific service. What I need is only to know if (and how) can NGINX be configured so it calls another service before dispatching the call, and that NGINX passes the headers (and maybe also body, but not necessarily) returned from this service to the call.

enter image description here

Honza Zidek
  • 210
  • 2
  • 14
  • What can be used to implement your business logic? That would dictate the rest of the setup. – Gerald Schneider Nov 26 '21 at 09:41
  • nginx can be extended pretty extensively with scripts. The documentation contains examples for authorization, have you actually tried this? – Gerald Schneider Nov 26 '21 at 09:56
  • You are not going to get any product recommendations here, that's off topic. – Gerald Schneider Nov 26 '21 at 09:57
  • @GeraldSchneider I am asking how to configure NGINX to call another web service before dispatching the call, **not to get any product recommendation**. And it's easier for us to write the business logic in Java, rather than scripting it in NGINX. Last but not least, for any change in NGINX we need to ask the sysadmin team - we prefer to be flexible and perform the changes on our own. NGINX is responsible for many other things, not only our apps. The operation includes reading from DB, caching data, and business rules massively out of scope of responsibility of the reverse proxy. – Honza Zidek Nov 26 '21 at 10:10
  • Sorry, then I misunderstood your question. It sounded like you were looking for a service that implements the logic. Then back to the question: Did you try the [examples from the documentation](https://github.com/nginx/njs-examples/)? If you encountered problems with them, you should add it to your question. – Gerald Schneider Nov 26 '21 at 10:28
  • @GeraldSchneider I edited the question to avoid this misunderstanding :) Can you navigate me maybe more detailed way in the examples? I am not familiar with NGINX terminology and it would help me if you forwarded me directly to the part related to my issue. (Sorry if it sounds like laziness but I am a Java programmer and I do not have the ambition to become a syadmin :) ) – Honza Zidek Nov 26 '21 at 10:29

1 Answers1

3

Yes, it is possible.

Take a look at this example. In short you can use auth_request directive to fetch the desired additional headers. Use proxy_set_header to add additional headers to the main request.

IOException
  • 46
  • 1
  • 2
    Welcome to Server Fault! Your answer suggests a workable solution to the question is available via another website. The Stack Exchange family of Q&A websites [generally frowns on this type of answer](https://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers). Please read [How do I write a good answer?](http://serverfault.com/help/how-to-answer) and consider revising your answer to include the steps required to resolve the issue. And don't forget to take the [site tour](http://serverfault.com/tour). – Paul Nov 27 '21 at 00:32