Plain text token in config!
Sergey A. Osokin
osa at freebsd.org.ru
Thu Apr 8 19:43:30 UTC 2021
Hi Hugues,
hope you're doing well.
On Thu, Apr 08, 2021 at 02:58:01PM -0400, bouvierh wrote:
> Hello!
>
> I currently use Nginx as a reverse proxy for my backend services.
>
> Nginx authenticates itself to the backend services using a Token that is
> generated by a process every 10 minutes and that process is writing the
> token in the config file and reloading nginx regularly:
>
> location / {
> proxy_set_header Authorization "PLAIN TEXT TOKEN WRITTEN BY PROCESS";
>
> proxy_pass https://backend;
> }
>
> I would like to avoid having a token in plain text. Is there a way to avoid
> that?
> I though of the following options:
> - Use env var: But that is impossible nginx doesn't support it
NGINX does support environment variables, please see details
http://nginx.org/en/docs/ngx_core_module.html#env
> - Query the token by having the process establish a local server. Could work
> but how can the process return the result as a variable to nginx?
That probably depends on how a response looks like. It's possible to
use NGINX JavaScript module to parse or modify a response.
> - Pass the config in memory instead of writing it to a file. Could be a
> simple option but I didn't find a way to do that.
Some tricks are available with NGINX Plus distribution because of the key-value
module, http://nginx.org/en/docs/http/ngx_http_keyval_module.html.
--
Sergey Osokin
More information about the nginx
mailing list