xfy/lolly
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lolly/docs/config/security/auth-request.conf
xfy 6543422281 docs: 添加 Nginx 配置和 Lua 脚本示例文档 
- config: 反向代理、缓存、负载均衡、安全、SSL 等配置模板
- lua: API 网关、认证、动态路由、限流、WebSocket 等脚本示例

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 17:59:22 +08:00

149 lines
4.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ============================================================
# Nginx 外部认证子请求配置示例 (auth_request)
# ============================================================
#
# 功能说明:
# - 将认证委托给外部服务
# - 支持子请求模式
# - 可转发请求头到认证服务
#
# Lolly 对应配置:
# server:
# security:
# auth_request:
# enabled: true
# uri: "/auth/validate" # 认证服务地址
# method: "GET"
# auth_timeout: 5s
# headers:
# X-Original-Uri: "$request_uri"
# X-Original-Method: "$request_method"
# forward_headers: ["Cookie", "Authorization", "X-Forwarded-For"]
# ============================================================
# auth_request 模块示例
http {
server {
listen 80;
server_name auth-request.example.com;
# 外部认证配置
# Lolly 对应: security.auth_request 配置块
location /api {
# 发送子请求到认证服务
# Lolly 对应: uri: "/auth/validate"
auth_request /auth/validate;
# 认证超时
# Lolly 对应: auth_timeout: 5s
auth_request_timeout 5s;
# 设置子请求头(传递给认证服务)
# Lolly 对应: headers 配置
auth_request_set $auth_user $upstream_http_x_auth_user;
auth_request_set $auth_role $upstream_http_x_auth_role;
# 认证成功后继续处理
proxy_pass http://backend:8080;
# 将认证结果传递给后端
proxy_set_header X-Auth-User $auth_user;
proxy_set_header X-Auth-Role $auth_role;
}
# 认证服务端点
location = /auth/validate {
internal; # 仅允许内部调用
# 转发原始请求头到认证服务
proxy_pass http://auth-service:8080/validate;
proxy_pass_request_body off; # 不转发请求体
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-Host $host;
# 转发认证相关头
# Lolly 对应: forward_headers
proxy_set_header Cookie $http_cookie;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 认证失败处理
error_page 401 = @auth_error;
error_page 403 = @auth_error;
location @auth_error {
default_type application/json;
return 401 '{"error": "Authentication failed", "message": "Please login first"}';
}
}
}
# OAuth2/OIDC 认证代理示例
http {
server {
listen 443 ssl;
server_name oauth.example.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# OAuth2 introspection 认证
location /api {
auth_request /oauth/introspect;
auth_request_timeout 5s;
# 从认证响应获取用户信息
auth_request_set $auth_user $upstream_http_x_auth_user;
auth_request_set $auth_scopes $upstream_http_x_auth_scopes;
proxy_pass http://backend:8080;
proxy_set_header X-Auth-User $auth_user;
}
# OAuth2 introspection 端点
location = /oauth/introspect {
internal;
proxy_pass http://oauth-server:8080/introspect;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Authorization "Bearer $http_authorization";
proxy_set_header X-Token $http_authorization;
}
}
}
# auth_request 说明:
#
# 1. 工作流程:
# a. 客户端请求 /api/resource
# b. nginx 发送子请求到 /auth/validate
# c. 认证服务返回 200成功或 401/403失败
# d. 认证成功:继续处理原始请求
# e. 认证失败:返回错误响应
#
# 2. 子请求特性:
# - internal: 仅允许 nginx 内部调用
# - 不转发请求体:节省资源
# - 可设置自定义头
#
# 3. 认证响应头:
# - 认证服务可通过响应头返回用户信息
# - 使用 auth_request_set 捕获响应头
# - 可传递给后端服务
#
# 4. 适用场景:
# - OAuth2/OIDC 验证
# - JWT 验证
# - 自定义认证逻辑
# - 权限检查
#
# 5. Lolly 支持:
# - auth_request 模块实现
# - 支持相对路径和完整 URL
# - 自动转发常用认证头
# - 支持自定义请求头
Reference in New Issue View Git Blame Copy Permalink