blob: 59cd9c41f2f7967877859f220609569fe7fc18e3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
=encoding utf-8
=head1 NAME
ngx_http_internal_redirect_module - Module ngx_http_internal_redirect_module
=head1
The C<ngx_http_internal_redirect_module> module (1.23.4) allows
making an internal redirect.
In contrast to
L<rewriting URIs|ngx_http_rewrite_module>,
the redirection is made after checking
L<request|ngx_http_limit_req_module> and
L<connection|ngx_http_limit_conn_module> processing limits,
and L<access|ngx_http_access_module> limits.
B<NOTE>
This module is available as part of our
commercial subscription.
=head1 Example Configuration
limit_req_zone $jwt_claim_sub zone=jwt_sub:10m rate=1r/s;
server {
location / {
auth_jwt "realm";
auth_jwt_key_file key.jwk;
internal_redirect @rate_limited;
}
location @rate_limited {
internal;
limit_req zone=jwt_sub burst=10;
proxy_pass http://backend;
}
}
The example implements
L<per-user|https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2>
L<rate limiting|ngx_http_limit_req_module>.
Implementation without internal_redirect
is vulnerable to DoS attacks by unsigned JWTs, as normally the
L<limit_req|ngx_http_limit_req_module>
check is performed
L<before|development_guide>
L<auth_jwt|ngx_http_auth_jwt_module> check.
Using internal_redirect
allows reordering these checks.
=head1 Directives
=head2 internal_redirect
B<syntax:> internal_redirect I<I<C<uri>>>
B<context:> I<server>
B<context:> I<location>
Sets the URI for internal redirection of the request.
It is also possible to use a
L<named location|ngx_http_core_module>
instead of the URI.
The I<C<uri>> value can contain variables.
If the I<C<uri>> value is empty,
then the redirect will not be made.
|
