I have a sample multi-container setup for having React.js ui as the frontend and eXist-db database server as the backend and authentication through openid_connect. Here is the GitHub link: https://github.com/lcahlander/multi-container-nginx-react-existdb
Here is the NGINX default.conf file:
upstream backend {
zone backend 64k;
server backend:8080;
}
upstream client {
zone client 64k;
server client:3000;
}
# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
error_log /var/log/nginx/error.log debug; # Reduce severity level as required
listen 80;
location /exist {
# This site is protected with OpenID Connect
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# Successfully authenticated users are proxied to the backend,
# with 'sub' claim passed as HTTP header
proxy_set_header Bearer $jwt_claim_sub;
proxy_pass http://backend;
access_log /var/log/nginx/exist.log main_jwt;
}
location / {
# This site is protected with OpenID Connect
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# Successfully authenticated users are proxied to the backend,
# with 'sub' claim passed as HTTP header
proxy_set_header Bearer $jwt_claim_sub;
proxy_pass http://client;
access_log /var/log/nginx/access.log main_jwt;
}
}
The problem is that /_codexch
is being passed to the client container instead of being processed in the nginx container. How do I fix that?
Thank you in advance!
I found my solution. The problem was that proxy_set_header Bearer $jwt_claim_sub;
should be proxy_set_header Bearer $session_jwt;