Securing authenticated API calls with NGINX reverse proxyHow to set up Nginx as a caching reverse proxy?Nginx reverse proxy + URL rewriteGo(lang) with nginx - Serving Static Filesnginx proxy with CASSecuring Kafka REST API endpointsWhy does my nginx proxy fail, but my node.js proxy works?How do I ensuring cache consistency between two Nginx edgesOverwrite HTTP headers comming back from a web application server proxied in nginxMy Web application gives CORS error after adding HTTPS using Let's EncryptNginx preventing cookie from being sent from front to back end
My advisor talks about me to his colleague
Proving n+1 th differential as zero given lower differentials are 0
Why does sound not move through a wall?
Emotional immaturity of comic-book version of superhero Shazam
How long would it take for people to notice a mass disappearance?
Is there an official reason for not adding a post-credits scene?
Manager is threatening to grade me poorly if I don't complete the project
How do LIGO and VIRGO know that a gravitational wave has its origin in a neutron star or a black hole?
Upside-Down Pyramid Addition...REVERSED!
Adjacent DEM color matching in QGIS
Are pressure-treated posts that have been submerged for a few days ruined?
Nominativ or Akkusativ
Do publishers care if submitted work has already been copyrighted?
Copy previous line to current line from text file
Appropriate certificate to ask for a fibre installation (ANSI/TIA-568.3-D?)
How can I get people to remember my character's gender?
Would you use "llamarse" for an animal's name?
What are the advantages of luxury car brands like Acura/Lexus over their sibling non-luxury brands Honda/Toyota?
What does "Managed by Windows" do in the Power options for network connection?
What is the solution to this metapuzzle from a university puzzling column?
Something that can be activated/enabled
Where can I go to avoid planes overhead?
Would glacier 'trees' be plausible?
Is bounce rate of a website a ranking factor?
Securing authenticated API calls with NGINX reverse proxy
How to set up Nginx as a caching reverse proxy?Nginx reverse proxy + URL rewriteGo(lang) with nginx - Serving Static Filesnginx proxy with CASSecuring Kafka REST API endpointsWhy does my nginx proxy fail, but my node.js proxy works?How do I ensuring cache consistency between two Nginx edgesOverwrite HTTP headers comming back from a web application server proxied in nginxMy Web application gives CORS error after adding HTTPS using Let's EncryptNginx preventing cookie from being sent from front to back end
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
First of all , apologies for being an Nginx newb. We utilize third-party API's that require authentication and we want to secure the API key by setting up a reverse proxy in Nginx. I'm pretty sure I get how to set up this part - create a location, proxy_pass it to the third-party server and add in authentication headers.
However, even though the API key is secure, at this point any user has full access to the API through the front-end URL, is that right? How I would I limit access to the proxied API to requests coming from the web server itself? Is adding a CORS header the correct solution here?
Part of my confusion is I'm not sure what is the 'origin' of a AJAX request in front-end code? Does it count as coming from the web server or from the user's computer, since code is executed in their browser?
nginx reverse-proxy
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
add a comment |
First of all , apologies for being an Nginx newb. We utilize third-party API's that require authentication and we want to secure the API key by setting up a reverse proxy in Nginx. I'm pretty sure I get how to set up this part - create a location, proxy_pass it to the third-party server and add in authentication headers.
However, even though the API key is secure, at this point any user has full access to the API through the front-end URL, is that right? How I would I limit access to the proxied API to requests coming from the web server itself? Is adding a CORS header the correct solution here?
Part of my confusion is I'm not sure what is the 'origin' of a AJAX request in front-end code? Does it count as coming from the web server or from the user's computer, since code is executed in their browser?
nginx reverse-proxy
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
add a comment |
First of all , apologies for being an Nginx newb. We utilize third-party API's that require authentication and we want to secure the API key by setting up a reverse proxy in Nginx. I'm pretty sure I get how to set up this part - create a location, proxy_pass it to the third-party server and add in authentication headers.
However, even though the API key is secure, at this point any user has full access to the API through the front-end URL, is that right? How I would I limit access to the proxied API to requests coming from the web server itself? Is adding a CORS header the correct solution here?
Part of my confusion is I'm not sure what is the 'origin' of a AJAX request in front-end code? Does it count as coming from the web server or from the user's computer, since code is executed in their browser?
nginx reverse-proxy
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
First of all , apologies for being an Nginx newb. We utilize third-party API's that require authentication and we want to secure the API key by setting up a reverse proxy in Nginx. I'm pretty sure I get how to set up this part - create a location, proxy_pass it to the third-party server and add in authentication headers.
However, even though the API key is secure, at this point any user has full access to the API through the front-end URL, is that right? How I would I limit access to the proxied API to requests coming from the web server itself? Is adding a CORS header the correct solution here?
Part of my confusion is I'm not sure what is the 'origin' of a AJAX request in front-end code? Does it count as coming from the web server or from the user's computer, since code is executed in their browser?
nginx reverse-proxy
nginx reverse-proxy
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
asked Apr 25 at 9:01
T NguyenT Nguyen
1062
1062
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964535%2fsecuring-authenticated-api-calls-with-nginx-reverse-proxy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964535%2fsecuring-authenticated-api-calls-with-nginx-reverse-proxy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
