Plain text token in config!

Sergey A. Osokin osa at freebsd.org.ru
Thu Apr 8 19:43:30 UTC 2021


Hi Hugues,

hope you're doing well.

On Thu, Apr 08, 2021 at 02:58:01PM -0400, bouvierh wrote:
> Hello!
> 
> I currently use Nginx as a reverse proxy for my backend services. 
> 
> Nginx authenticates itself to the backend services using a Token that is
> generated by a process every 10 minutes and that process is writing the
> token in the config file and reloading nginx regularly:
> 
> location / {
>     proxy_set_header    Authorization "PLAIN TEXT TOKEN WRITTEN BY PROCESS";
>          
>     proxy_pass https://backend;
>  }
> 
> I would like to avoid having a token in plain text. Is there a way to avoid
> that?
> I though of the following options:
> - Use env var: But that is impossible nginx doesn't support it

NGINX does support environment variables, please see details
http://nginx.org/en/docs/ngx_core_module.html#env

> - Query the token by having the process establish a local server. Could work
> but how can the process return the result as a variable to nginx?

That probably depends on how a response looks like.  It's possible to
use NGINX JavaScript module to parse or modify a response.

> - Pass the config in memory instead of writing it to a file. Could be a
> simple option but I didn't find a way to do that.

Some tricks are available with NGINX Plus distribution because of the key-value
module, http://nginx.org/en/docs/http/ngx_http_keyval_module.html.

-- 
Sergey Osokin


More information about the nginx mailing list