NGINX api getway authentication & authorization

loadbalancer.conf

upstream App1 {
  server 127.0.01:5001;
  server 127.0.01:5002;
  server 127.0.01:5003;
}

server {
    listen 80;
    listen [::]:80;
    server_name apidev.qwerty.id;
    server_tokens off;
    client_max_body_size 100M;
    
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
    
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name apidev.qwerty.id;
    server_tokens off;
    client_max_body_size 100M;
    
    if ($host != "apidev.qwerty.id") {
     return 404;
    }

    ssl_certificate /etc/letsencrypt/live/apidev.qwerty.id/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apidev.qwerty.id/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://App1;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

loadbalancer2

upstream nodejs {
   least_conn;
    server localhost:5001;
    server 10.104.0.6:5002;
}

server {
    listen 80;
    listen [::]:80;

    server_name x.kasisolusi.com;
    server_tokens off;
    client_max_body_size 100M;

    return 301 https://$server_name$request_uri;

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate         /etc/ssl/certs/cert.pem; #path to your public key
    ssl_certificate_key     /etc/ssl/private/cert.key; #path to your private key

    server_name x.kasisolusi.com;

    location / {
        proxy_pass http://nodejs;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        # proxy_cache_bypass $http_upgrade;
        proxy_cache_bypass $http_pragma;
        proxy_cache_bypass $http_cache_control;
    }
}

NGINX _auth.conf

server {
    listen 80;
    listen [::]:80;
    server_name "";
    server_tokens off;
    client_max_body_size 100M;

    # Docs: https://nginx.org/en/docs/http/ngx_http_auth_request_module.html 
    location / {
        # Sebelum request masuk, akan melewati /auth terlebih dahulu
        # Jika response status = 200 : request akan diteruskan
        # Jika response status = 401 / 403 : request akan dihentikan
        auth_request /auth;
        
        # Mengambil header dari response /auth
        # misal res.setHeader('token', 'HALO SEMUA SAYA TOKEN HEHE');
        # auth_request_set $variable value
        # $upstream_http_namakeyheader => untuk mendapatkan header response auth
        auth_request_set $Token $upstream_http_token;
        
        # Set header 
        proxy_set_header keyname $Token;

        proxy_pass http://host.docker.internal:5001;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }

    # Middleware auth
    location = /auth {
        internal;
        proxy_pass http://host.docker.internal:5001/auth/verify/;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header Authorization $http_authorization;
    }
}


# https://stackoverflow.com/questions/40431767/conditional-nginx-auth-request
# https://stackoverflow.com/questions/31431436/nginx-is-it-possible-to-get-response-retuned-from-auth-request
# https://stackoverflow.com/questions/51545971/nginx-microservices-authentication
# https://stackoverflow.com/questions/40645270/nginx-auth-request-handler-accessing-post-request-body