0

I'm using auth_request to use an external process to authenticate the client certificate in a mTLS with. The code is something similar to this:

http { # ... http configuration ... server { listen 443 ssl; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; ssl_verify_client optional_no_ca; location /protected/ { auth_request /auth; proxy_pass http://backend_service; } location = /auth { internal; proxy_pass http://auth_service/verify; proxy_set_header X-Client-Cert $ssl_client_escaped_cert; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_hide_header Set-Cookie; proxy_ignore_headers Set-Cookie; proxy_set_header Cookie ""; } } }

To improve performance on the authentication phase, I wanted to use a cache in the /auth location. But I wonder what is the correct and best cache key here. I want thinking to use the following cache setting inside /auth location:

proxy_cache_valid 200 204 5m; proxy_cache_key "$ssl_client_fingerprint$request_method$request_uri";

Any idea if this is a good cache key? Any other suggestions here?

Improve this question
1
  • Your auth backend response definitely does not depend on the request URI (except for the fact that all protected URIs had the /protected/ prefix in common), and I highly doubt it depends on the request method either. I don't see any reason to use anything other than $ssl_client_fingerprint as the cache key. Commented Dec 2 at 3:54

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.