upstream authService
{
server auth-service:8000 max_fails=300 fail_timeout=1s;
keepalive 512;
}
upstream userService
{
server user-service:8000 max_fails=300 fail_timeout=1s;
keepalive 512;
}
map $request_uri $is_whitelisted
{
default 0;
~^/users$ 1;
~^/users/reset-password$ 1;
~^/users/reset-password/[^/]+$ 1;
~^/users/verify-email/[^/]+$ 1;
~^/users/find$ 1;
~^/users/find/[^/]+$ 1;
}
server
{
listen 8080;
listen [::]:8080;
server_name localhost;
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type, withCredentials" always;
add_header Access-Control-Allow-Credentials true always;
if ($request_method = OPTIONS)
{
return 204;
}
location /users
{
if ($is_whitelisted)
{
proxy_pass http://userService;
break;
}
auth_request auth-validate;
auth_request_set $auth_status $upstream_status;
proxy_pass http://userService;
}
location auth-validate
{
internal;
proxy_pass http://authService/auth/validate;
proxy_method POST;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /auth
{
proxy_pass http://authService;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location @unauthorized
{
return 401 'Unauthorized';
add_header Content-Type text/plain;
}
}
if
вообще не нужна и, как вы уже сами могли убедиться, даже вредна. Избавиться от неё можно, например, через дополнительный location
:location /users {
auth_request auth-validate;
auth_request_set $auth_status $upstream_status;
proxy_pass http://userService;
}
location ~ ^/users(?:/(?:find|reset-password)(?:/[^/]+)?|/verify-email/[^/]+)?$ {
proxy_pass http://userService;
}
location /users {
auth_request auth-validate;
auth_request_set $auth_status $upstream_status;
proxy_pass http://userService;
}
location ~^/users$
~^/users/reset-password$
~^/users/reset-password/[^/]+$
~^/users/verify-email/[^/]+$
~^/users/find$
~^/users/find/[^/]+$ {
proxy_pass http://userService;
}
map
больше не требуется, конфигурация имеет более однозначный вид и содержит меньше строк.