nginxopenid-connectauth0nginx-locationexist-db

How do I tell NGINX to not proxy_pass certain URIs?

I have a sample multi-container setup for having React.js ui as the frontend and eXist-db database server as the backend and authentication through openid_connect. Here is the GitHub link: https://github.com/lcahlander/multi-container-nginx-react-existdb

Here is the NGINX default.conf file:

upstream backend {
  zone backend 64k;
  server backend:8080;
}

upstream client {
  zone client 64k;
  server client:3000;
}

# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
                    '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
    include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
    error_log /var/log/nginx/error.log debug;  # Reduce severity level as required

    listen 80;

    location /exist {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri; # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header Bearer $jwt_claim_sub;
        proxy_pass http://backend;
        
        access_log /var/log/nginx/exist.log main_jwt;
    }

    location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri; # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header Bearer $jwt_claim_sub;
        proxy_pass http://client;
        
        access_log /var/log/nginx/access.log main_jwt;
    }
}

The problem is that /_codexch is being passed to the client container instead of being processed in the nginx container. How do I fix that?

Thank you in advance!

Solution

  • I found my solution. The problem was that proxy_set_header Bearer $jwt_claim_sub; should be proxy_set_header Bearer $session_jwt;