Check response of one backend before proxying to another

Question

I have two backends in two locations behind an Nginx frontend. Backend A implements authentication with OAuth. Backend B doesn't.

I think a lazy way of adding authentication for location B would be to send each request to backend A first. The flow I have in mind:

request for /b/kitten.png --> [ nginx ]
                              [ nginx ] --> request for /index.html --> [backend A]
                            if A responds 200:
                              [ nginx ] --> request for /kitten.png --> [backend B]
                            otherwise return what A returned (redirect to OAuth)

Is this possible in Nginx? If not, maybe in OpenResty/HAProxy/Traefik?

Answer 1

Not a complete answer, but slightly too long for comment:

The set-up you describe is in concept similar to a fairly common strategy :

• offload the authentication to one system
• use your reverse proxy to enforce that only authenticated clients can access your other applications/back-ends (by inspecting the request)
• unauthenticated clients get refused by the reverse proxy (and/or ideally redirected to a login page from the authentication provider, that once authenticated successfully redirects back to the app)
• authenticated clients are granted access.

This requires a method to validate the header/cookie/session token the client submits in the reverse proxy. The advantage is of course that the applications exposed by the reverse proxy don't have to provide their own login/authentication methods.

For nginx a bit of lua code seems to be a common way to create such a method.

For example the access_by_lua method is commonly used to make such an integration with nginx and keycloak as the authentication provider. See the examples: here and here