apiauth.conf

set $authproxy http://auth-proxy:8080;

# All authorized api requests land here.
location = /api/index.php {
  alias $base_folder/api/index.php;
  try_files $uri =404;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass 127.0.0.1:9001;
  fastcgi_index index.php;
  include /etc/nginx/fastcgi_params;
}

# All API requests begin here.
location ~ ^/api/(.+) {
  client_max_body_size 100M;
  auth_request /auth;
  auth_request_set $proxy_env $upstream_http_X_Environment;
  auth_request_set $auth_user $upstream_http_X_Username;
  auth_request_set $auth_key  $upstream_http_X_API_Key;
  auth_request_set $auth_idnt $upstream_http_X_UserID;
  root $base_folder;
  try_files $uri /api/index.php?api=true&$args&endpoint=$1;
}

# API requests get authorized here.
location = /auth {
  internal;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";
  proxy_set_header X-Original-URI $request_uri;
  proxy_set_header X-API-Key $incoming_api_key;
  proxy_set_header X-Server $http_X_Server;
  proxy_set_header X-Password $http_X_Password;
  proxy_set_header Host $host;
  proxy_pass $authproxy/auth;
}

# Requests that did not pass validation land here.
error_page 401 = @error401;

# If the user provided an invalid api key, give them an error page that tells them so.
location @error401 {
  set $auth_user -;
  set $auth_idnt -;
  more_set_headers "Content-Type: application/json";
  more_set_headers "X-Original-URI: ${request_uri}";
  return 401 '{"error": "invalid api key","key": "${incoming_api_key}"}';
}