Docker Nginx 反向代理保护 Docker 容器

我有两个 docker 服务（一个 angular web-app 和一个 tomcat 后端），我想用第三个 docker 服务来保护它们，这是一个配置为反向代理的 nginx。我的代理配置工作正常，但我的反向代理也应该处理基本授权。当我通过反向代理配置使用基本身份验证保护我的 Angular 前端服务时，一切正常，但我的后端仍然对所有人公开。当我还向后端服务添加基本身份验证时，我遇到了问题，即我前端的基本身份验证配置标头未转发/添加到后端 REST 请求。是否可以配置nginx反向代理为前端发送的每个请求添加授权头。或者也许我想错了，有更好的解决方案？

这是我的 docker 和 nginx 配置：

反向代理配置：

worker_processes 1;

events { worker_connections 1024; }

http {

    sendfile on;

    upstream docker-nginx {
        server frontend-nginx:80;
    }

    upstream docker-tomcat {
        server backend-tomcat:8080;
    }

    map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
        '' 'registry/2.0';
    }

    server {
        listen 80;

        location / {

            auth_basic "Protected area";
            auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

            add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

            proxy_pass         http://docker-nginx;
            proxy_redirect     off;
        }
    }

    server {
        listen 8080;

        location / {

            auth_basic "Protected area";
            auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

            add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

            proxy_pass         http://docker-tomcat;
            proxy_redirect     off;
        }
    }

}

docker-compose（设置所有容器）：

version: '2.4'

services:
  reverse-proxy:
    container_name: reverse-proxy
    image: nginx:alpine
    volumes:
      - ./auth:/etc/nginx/conf.d
      - ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
      - "80:80"
      - "8080:8080"
    restart: always
    links:
      - registry:registry

  frontend-nginx:
    container_name: frontend
    build: './frontend'
    volumes:
      - /dockerdev/frontend/dist/:/usr/share/nginx/html
    depends_on:
          - reverse-proxy
          - bentley-tomcat
    restart: always

  backend-tomcat:
    container_name: backend
    build: './backend'
    volumes:
      - /data:/data
    depends_on:
      - reverse-proxy
    restart: always

  registry:
    image: registry:2
    ports:
      - 127.0.0.1:5000:5000
    volumes:
      - ./data:/var/lib/registry

前端 Dockerfile：

FROM nginx
COPY ./dist/ /usr/share/nginx/html
COPY ./fast-nginx-default.conf /etc/nginx/conf.d/default.conf

前端配置：

server {
  listen 80;
  sendfile on;
  default_type application/octet-stream;

  gzip on;
  gzip_http_version 1.1;
  gzip_disable      "MSIE [1-6]\.";
  gzip_min_length   256;
  gzip_vary         on;
  gzip_proxied      expired no-cache no-store private auth;
  gzip_types        text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_comp_level   9;

  root /usr/share/nginx/html;

  location / {
    try_files $uri $uri/ /index.html =404;
  }
}

后端 Dockerfile：

FROM openjdk:11
RUN mkdir -p /usr/local/bin/tomcat
COPY ./backend-0.0.1-SNAPSHOT.jar /usr/local/bin/tomcat/backend-0.0.1-SNAPSHOT.jar
WORKDIR /usr/local/bin/tomcat
CMD ["java", "-jar", "backend-0.0.1-SNAPSHOT.jar"]