How to secure internal-authorization header

stack:
graphql
nginx
docker-compose

request flow diagram

nginx config to allowlist request from other service by using their internal IP

server {
    listen 7000;
    allow 10.101.0.01;
    # internal IP of service A
    deny all;


    location / {
        proxy_pass http://api-project-B:7000;
        # api-project-B is service name on docker-compose
        # 7000 is port used by the application on api-project-B service
    }
}

if your user service and gateway service on 1 instance, and you need internal-authorization header implemented on user service, you can deny access to the user graphql URL so the client can only access to user graphql through gateway

server {
    listen 443 ssl http2;

    location / {
        proxy_pass http://api-gateway:5000;
    }
    # deny access to /user/graphql from client
    location /user/graphql {
        deny all;
    }
}

Your AI Code Assistant

Ask anything about your entire project, code and get answers and even architecture diagrams. Built to handle large projects, Amazon Q Developer works alongside you from idea to production code.

Start free in your IDE