DEV Community

ADITYA OKKE SUGIARSO
ADITYA OKKE SUGIARSO

Posted on

How to secure internal-authorization header

stack:
graphql
nginx
docker-compose

request flow diagram

Image description

nginx config to allowlist request from other service by using their internal IP

server {
    listen 7000;
    allow 10.101.0.01;
    # internal IP of service A
    deny all;


    location / {
        proxy_pass http://api-project-B:7000;
        # api-project-B is service name on docker-compose
        # 7000 is port used by the application on api-project-B service
    }
}
Enter fullscreen mode Exit fullscreen mode

if your user service and gateway service on 1 instance, and you need internal-authorization header implemented on user service, you can deny access to the user graphql URL so the client can only access to user graphql through gateway

server {
    listen 443 ssl http2;

    location / {
        proxy_pass http://api-gateway:5000;
    }
    # deny access to /user/graphql from client
    location /user/graphql {
        deny all;
    }
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)