nginx位置和Django auth

时间:2017-09-26 08:38:34

标签: django nginx nginx-location

我正在尝试根据查询字符串中的URL参数创建NGINX重定向。基本上有:

http://localhost/redirect/?url=https://www.google.it/search?dcr=0&source=hp&q=django&oq=django

location /redirect/ {
    proxy_cache STATIC;
    # cache status code 200 responses for 10 minutes
    proxy_cache_valid 200 1d;
    proxy_cache_revalidate on;
    proxy_cache_min_uses 3;
    # use the cache if there's a error on app server or it's updating from another request
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    # don't let two requests try to populate the cache at the same time
    proxy_cache_lock on;

    # Strip out query param "timestamp"
    if ($args ~ (.*)&timestamp=[^&]*(.*)) {
      set $args $1$2;
    }

    return 302 $arg_url$args;
}

现在,只有经过Django身份验证的用户(JWT / Cookie)可以使用/redirect?url=端点,因此可以在不打开整个世界代理的情况下实现会话/ cookie检查吗?

无论如何,我可以在Django级别(https://github.com/mjumbewu/django-proxy/blob/master/proxy/views.py)进行此操作,但我认为它在NGINX级别更快且计算成本更低。

谢谢,

d

2 个答案:

答案 0 :(得分:0)

重定向&代理是不同的东西,为了获得django-proxy功能,你需要使用nginx反向代理选项而不是重定向。

# django-proxy code fragment
response = requests.request(request.method, url, **requests_args)
proxy_response = HttpResponse(
        response.content,
        status=response.status_code)

Nginx配置用于反向代理& AUTH

server {
    listen 80;
    server_name youtdomain.com;

    location / {
        # use django for authenticating request
        auth_request /django-app/;
        # a proxy to otherdomain
        proxy_pass http://otherdomain.com;
        proxy_set_header Host otherdomain.com;
    }

    location /django-app/{
        internal; # protect from public access
        proxy_pass http://django-app;
    }
}

Django应用应该为经过身份验证的用户200返回401状态代码,否则,您可以阅读有关auth_request的更多详细信息here

答案 1 :(得分:0)

基于之前的答案(谢谢!),这是解决方案:

http {
    upstream app_api {
    # server 172.69.0.10:8000;
    server api:8000;
    # fail_timeout=0 means we always retry an upstream even if it failed
    # to return a good HTTP response (in case the Unicorn master nukes a
    # single worker for timing out).
    # server unix:/var/www/gmb/run/gunicorn.sock fail_timeout=0;
  }

server {

    location = /auth {
      proxy_pass http://app_api/api-auth/login/;
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";
      proxy_set_header X-Original-URI $request_uri;
    }

    location /redirect/ {
      auth_request /auth;

      proxy_cache STATIC;

      # cache status code 200 responses for 10 minutes
      proxy_cache_valid 200 1d;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 3;
      # use the cache if there's a error on app server or it's updating from another request
      proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
      # don't let two requests try to populate the cache at the same time
      proxy_cache_lock on;

      # Strip out query param "timestamp"
      if ($args ~ (.*)&timestamp=[^&]*(.*)) {
        set $args $1$2;
      }
      return 302 $arg_url$args;
    }